def _generate_ca(self): # Crea KEY de tipo RSA self.key = PKey() self.key.generate_key(TYPE_RSA, 2048) # Crea Certificado X509 self.cert = X509() self.cert.set_version(3) # Le puse 10000 no se por que self.cert.set_serial_number(1) self.cert.get_subject().CN = 'ca.proxymitm.com' self.cert.gmtime_adj_notBefore(0) #Tiempo de duracion del certificado self.cert.gmtime_adj_notAfter(315360000) self.cert.set_issuer(self.cert.get_subject()) self.cert.set_pubkey(self.key) #Atributos del ceriticado self.cert.add_extensions([ X509Extension("basicConstraints", True, "CA:TRUE, pathlen:0"), X509Extension("keyUsage", True, "keyCertSign, cRLSign"), X509Extension("subjectKeyIdentifier", False, "hash", subject=self.cert), ]) self.cert.sign(self.key, "sha256") with open(self.ca_file, 'wb+') as f: f.write(dump_privatekey(FILETYPE_PEM, self.key)) f.write(dump_certificate(FILETYPE_PEM, self.cert))
def _generate_ca(self): ''' This function generates the certificate authority file ''' # Generate key self.key = PKey() self.key.generate_key(TYPE_RSA, 2048) # Generate certificate self.cert = X509() self.cert.set_version(3) self.cert.set_serial_number(1) self.cert.get_subject().CN = 'ca.mitm.com' self.cert.gmtime_adj_notBefore(0) self.cert.gmtime_adj_notAfter(315360000) self.cert.set_issuer(self.cert.get_subject()) self.cert.set_pubkey(self.key) self.cert.add_extensions([ X509Extension("basicConstraints", True, "CA:TRUE, pathlen:0"), X509Extension("keyUsage", True, "keyCertSign, cRLSign"), X509Extension("subjectKeyIdentifier", False, "hash", subject=self.cert), ]) self.cert.sign(self.key, "sha1") with open(self.ca_file, 'wb+') as f: f.write(dump_privatekey(FILETYPE_PEM, self.key)) f.write(dump_certificate(FILETYPE_PEM, self.cert))
def sign_host_csr(self, certificate_request, ip): # type: (crypto.X509Req, str) -> crypto.X509 #TODO#55: This is SO SO SO bad. # Every time the remote needs to sign a cert, it reads them off disk? # jesus christ that's poorly written prototype shit. my_key = crypto.load_privatekey(crypto.FILETYPE_PEM, open(self.nebr_instance.get_key_file(), 'rt').read()) my_crt = crypto.load_certificate(crypto.FILETYPE_PEM, open(self.nebr_instance.get_cert_file(), 'rt').read()) not_after = 60 * 60 * 24 * 365 * 1 # one year, totally arbitrary cert = crypto.X509() cert.set_version(2) epoch = datetime.utcfromtimestamp(0) now = datetime.utcnow() total_seconds = int((now - epoch).total_seconds()) cert.set_serial_number(total_seconds) # todo: Add some method for actually tracking serial numbers cert.gmtime_adj_notBefore(0) # these values are seconds from the moment of signing cert.gmtime_adj_notAfter(not_after) # these values are seconds from the moment of signing cert.set_issuer(my_crt.get_subject()) cert.set_subject(certificate_request.get_subject()) cert.set_pubkey(certificate_request.get_pubkey()) basic = X509Extension(b'basicConstraints', False, b'CA:false') alt = X509Extension(b'subjectAltName', False, b'IP.1:{}'.format(ip)) cert.add_extensions([basic, alt]) cert.sign(my_key, 'sha256') return cert
def create_dummy_certificate(certname,keyname,_dir, force=False) -> bool: if certname and keyname and _dir: if path.exists(_dir+keyname) and path.exists(_dir+certname) and not force: return True else: if path.exists(_dir+certname): remove(_dir+certname) if path.exists(_dir+keyname): remove(_dir+keyname) key = PKey() key.generate_key(TYPE_RSA, 4096) cert = X509() cert.set_serial_number(uuid4().int) cert.set_version(2) cert.get_subject().C = "US" cert.get_subject().ST = "WA" cert.get_subject().L = "127.0.0.1" cert.get_subject().O = "github.com/qeeqbox/analyzer" cert.get_subject().OU = "github.com/qeeqbox/analyzer" cert.get_subject().CN = "auto generated self signed certificate by qeeqbox/analyzer" cert.gmtime_adj_notBefore(-60 * 60 * 24 * 365 * 2) cert.gmtime_adj_notAfter(60 * 60 * 24 * 365 * 2) cert.set_issuer(cert.get_subject()) cert.set_pubkey(key) cert.add_extensions([X509Extension(b"basicConstraints", True, b"CA:TRUE, pathlen:0"), X509Extension(b"keyUsage", True, b"keyCertSign, cRLSign"), X509Extension(b"subjectKeyIdentifier", False, b"hash", subject=cert),]) cert.sign(key, 'sha256') with open(_dir+certname, 'wb') as f: f.write(dump_certificate(FILETYPE_PEM, cert)) with open(_dir+keyname, 'wb') as f: f.write(dump_privatekey(FILETYPE_PEM, key)) return True return False
def _gen_ca(self, again=False): # Generate key if os.path.exists(self.ca_file_path) and os.path.exists( self.cert_file_path) and not again: self._read_ca(self.ca_file_path) return self.key = PKey() self.key.generate_key(TYPE_RSA, 2048) # Generate certificate self.cert = X509() self.cert.set_version(2) self.cert.set_serial_number(1) self.cert.get_subject().CN = 'CachingProxy' self.cert.gmtime_adj_notBefore(0) self.cert.gmtime_adj_notAfter(315360000) self.cert.set_issuer(self.cert.get_subject()) self.cert.set_pubkey(self.key) self.cert.add_extensions([ X509Extension(b"basicConstraints", True, b"CA:TRUE, pathlen:0"), X509Extension(b"keyUsage", True, b"keyCertSign, cRLSign"), X509Extension(b"subjectKeyIdentifier", False, b"hash", subject=self.cert), ]) self.cert.sign(self.key, "sha256") with open(self.ca_file_path, 'wb+') as f: f.write(dump_privatekey(FILETYPE_PEM, self.key)) f.write(dump_certificate(FILETYPE_PEM, self.cert)) with open(self.cert_file_path, 'wb+') as f: f.write(dump_certificate(FILETYPE_PEM, self.cert))
def _generate_ca(self): # Generate key self.key = PKey() self.key.generate_key(TYPE_RSA, 2048) # Generate certificate self.cert = X509() self.cert.set_version(3) self.cert.set_serial_number(1) self.cert.get_subject().CN = 'Namecoin .bit proxy' self.cert.gmtime_adj_notBefore(0) self.cert.gmtime_adj_notAfter(315360000) self.cert.set_issuer(self.cert.get_subject()) self.cert.set_pubkey(self.key) self.cert.add_extensions([ X509Extension("basicConstraints", True, "CA:TRUE, pathlen:0"), X509Extension("keyUsage", True, "keyCertSign, cRLSign"), X509Extension("subjectKeyIdentifier", False, "hash", subject=self.cert), ]) self.cert.sign(self.key, "sha256") with open(self.ca_file, 'wb+') as f: f.write(dump_privatekey(self.filetype, self.key)) f.write(dump_certificate(self.filetype, self.cert)) # export for Windows with open("ca.crt", 'wb+') as f: f.write(dump_certificate(self.filetype, self.cert))
def create_self_signed_root_cert(pk, dn): csr = create_cert_req(pk, dn) x = create_certificate_from_csr(csr, csr) ext = list() ext.append(X509Extension(b'basicConstraints', critical=True, value=b'CA:TRUE')) ext.append(X509Extension(b'subjectKeyIdentifier', critical=False, value=b'hash', subject=x)) x.add_extensions(ext) # XXX: Thanks to https://github.com/Eichhoernchen/SiriServerCore for struggling with this before x.add_extensions((X509Extension(b'authorityKeyIdentifier', critical=False, value=b'keyid:always', issuer=x),)) x.sign(pk, 'SHA256') return x
def make_cert(filename, cacert=None, cakey=None): key = PKey() key.generate_key(TYPE_RSA, 2048) cert = X509() subject = cert.get_subject() subject.C = b"TR" subject.ST = b"Çorum" subject.L = b"Başmakçı" subject.CN = b"localhost" subject.O = b"Mozilla Test" subject.OU = b"Autopush Test %s" % filename subject.emailAddress = b"*****@*****.**" subjectAltName = X509Extension(b'subjectAltName', False, b'DNS:localhost') cert.add_extensions([subjectAltName]) cert.set_serial_number(uuid.uuid4().int) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(60 * 60 * 24 * 365 * 100) cert.set_pubkey(key) if not cacert: # self sign cacert = cert cakey = key cert.set_issuer(cacert.get_subject()) cert.sign(cakey, 'sha1') with open(filename, 'wb') as fp: fp.write(dump_privatekey(FILETYPE_PEM, key)) fp.write(dump_certificate(FILETYPE_PEM, cert)) return cert, key
def _sign_ca(self, cn, cnp): # 使用合法的CA证书为代理程序生成服务器证书 # create certificate try: key = PKey() key.generate_key(TYPE_RSA, 2048) # Generate CSR req = X509Req() req.get_subject().CN = cn req.set_pubkey(key) req.sign(key, 'sha256') # Sign CSR cert = X509() cert.set_version(2) cert.set_subject(req.get_subject()) cert.set_serial_number(self.serial) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(31536000) cert.set_issuer(self.cert.get_subject()) ss = ("DNS:%s" % cn).encode(encoding="utf-8") cert.add_extensions([X509Extension(b"subjectAltName", False, ss)]) cert.set_pubkey(req.get_pubkey()) cert.sign(self.key, 'sha256') with open(cnp, 'wb+') as f: f.write(dump_privatekey(FILETYPE_PEM, key)) f.write(dump_certificate(FILETYPE_PEM, cert)) except Exception as e: raise Exception("generate CA fail:{}".format(str(e)))
def _generate_ca_given_key(self, key): cert = X509() cert.set_version(3) cert.set_serial_number(1) cert.get_subject().CN = 'ca.mitm.com' cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(315360000) cert.set_issuer(cert.get_subject()) cert.set_pubkey(self.key) cert.add_extensions([ X509Extension("basicConstraints", True, "CA:TRUE, pathlen:0"), X509Extension("keyUsage", True, "keyCertSign, cRLSign"), X509Extension("subjectKeyIdentifier", False, "hash", subject=cert), ]) cert.sign(self.key, "sha1") return cert
def get_user_id(private_key, cert_path): if os.path.exists(private_key): with open(private_key) as fd: key = load_privatekey(FILETYPE_PEM, fd.read()) if key.bits() != 1024: os.unlink(private_key) else: user_id = get_service_id(private_key) if not os.path.exists(private_key): if os.path.exists(cert_path): os.unlink(cert_path) folder = os.path.dirname(private_key) if not os.path.exists(folder): os.makedirs(folder) os.chmod(folder, 0o700) key = PKey() key.generate_key(TYPE_RSA, 1024) with open(private_key, 'wb') as fd: os.chmod(private_key, 0o600) fd.write(dump_privatekey(FILETYPE_PEM, key)) os.chmod(private_key, 0o400) user_id = get_service_id(private_key) if not os.path.exists(cert_path): ca = X509() ca.set_version(2) ca.set_serial_number(1) ca.get_subject().CN = user_id ca.gmtime_adj_notBefore(0) ca.gmtime_adj_notAfter(24 * 60 * 60) ca.set_issuer(ca.get_subject()) ca.set_pubkey(key) ca.add_extensions([ X509Extension(b"basicConstraints", True, b"CA:TRUE, pathlen:0"), X509Extension(b"nsCertType", True, b"sslCA"), X509Extension( b"extendedKeyUsage", True, b"serverAuth,clientAuth,emailProtection,timeStamping,msCodeInd,msCodeCom,msCTLSign,msSGC,msEFS,nsSGC" ), X509Extension(b"keyUsage", False, b"keyCertSign, cRLSign"), X509Extension(b"subjectKeyIdentifier", False, b"hash", subject=ca), ]) ca.sign(key, "sha256") with open(cert_path, 'wb') as fd: fd.write(dump_certificate(FILETYPE_PEM, ca)) return user_id
def create_self_signed_cert(cert_file_path): private_key_path = re.sub(r".(pem|crt)$", ".key", cert_file_path, flags=re.IGNORECASE) # create public/private key key = PKey() key.generate_key(TYPE_RSA, 2048) # Self-signed cert cert = X509() #subject = X509Name(cert.get_subject()) subject = cert.get_subject() subject.CN = 'localhost' subject.O = 'XYZ Widgets Inc' subject.OU = 'IT Department' subject.L = 'Seattle' subject.ST = 'Washington' subject.C = 'US' subject.emailAddress = '*****@*****.**' cert.set_version(2) cert.set_issuer(subject) cert.set_subject(subject) #cert.set_serial_number(int(os.urandom(16).encode('hex'),16)) cert.set_serial_number(int(rand.bytes(16).encode('hex'), 16)) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(31536000) cert.set_pubkey(key) cert.add_extensions([ X509Extension("basicConstraints", True, "CA:TRUE, pathlen:0"), X509Extension("keyUsage", True, "keyCertSign, cRLSign"), X509Extension("subjectKeyIdentifier", False, "hash", subject=cert), ]) cert.sign(key, 'sha256') with open(cert_file_path, 'wb+') as f: f.write(dump_certificate(FILETYPE_PEM, cert)) with open(private_key_path, 'wb+') as f: f.write(dump_privatekey(FILETYPE_PEM, key))
def sign_ca_cert(key, requestObject, dn): from OpenSSL.crypto import X509, X509Extension from twisted.internet.ssl import Certificate req = requestObject.original cert = X509() dn._copyInto(cert.get_issuer()) cert.set_subject(req.get_subject()) cert.set_pubkey(req.get_pubkey()) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(60 * 60) cert.set_serial_number(1) cert.add_extensions([ X509Extension(b"basicConstraints", True, b"CA:TRUE"), # Not necessarily a good way to populate subjectAltName but it # quiets the deprecation warning we get from service_identity. X509Extension(b"subjectAltName", True, b"DNS:" + dn.commonName), ]) cert.sign(key.original, "sha256") return Certificate(cert)
def create_self_certificate(pk, subject_dict,expiry =10*365*24*60*60): cert = X509() subject = cert.get_subject() subject = setSubject(subject,subject_dict) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(expiry) cert.set_issuer(cert.get_subject()) cert.set_pubkey(pk) cert.add_extensions([ X509Extension(b"basicConstraints", True,b"CA:TRUE"),\ X509Extension(b"keyUsage", True,b"keyCertSign, cRLSign"),\ X509Extension(b"subjectKeyIdentifier", False, b"hash",subject=cert)]) cert.sign(pk, 'sha256') # dump the certificate in path cert_bytes = dump_certificate(FILETYPE_PEM,cert) return cert_bytes
def get_csr(client, key_id, key_version_id, subject_name, domain, kms_algorithm, signature_algorithm): clear_text_public_key_pem = get_public_key(client, key_id, key_version_id) # kms get_public_key pkey = load_publickey(FILETYPE_PEM, clear_text_public_key_pem) req = X509Req() req.set_pubkey(pkey) req.get_subject().CN = subject_name.get('CN') req.get_subject().C = subject_name.get('C') req.get_subject().O = subject_name.get('O') req.set_version(0) # addExtensions req.add_extensions([ X509Extension(b'subjectAltName', False, ','.join(domain).encode('ascii')) ]) result_buffer = _ffi.new('unsigned char**') encode_result = _lib.i2d_re_X509_REQ_tbs(req._req, result_buffer) md_length = _ffi.new("unsigned int *") md = _ffi.new("unsigned char[]", 32) evp_md = _lib.EVP_get_digestbyname(b"sha256") md_ctx = _lib.Cryptography_EVP_MD_CTX_new() md_ctx = _ffi.gc(md_ctx, _lib.Cryptography_EVP_MD_CTX_free) _lib.EVP_DigestInit_ex(md_ctx, evp_md, _ffi.NULL) _lib.EVP_DigestUpdate(md_ctx, result_buffer[0], encode_result) _lib.EVP_DigestFinal_ex(md_ctx, md, md_length) psig = _ffi.new("ASN1_BIT_STRING **") palg = _ffi.new("X509_ALGOR **") _lib.X509_REQ_get0_signature(req._req, psig, palg) # kms_sign sign_data = kms_sign(client, key_id, key_version_id, kms_algorithm, bytes(md)) _lib.ASN1_STRING_set(psig[0], sign_data, len(sign_data)) psig[0].flags &= ~(0x08 | 0x07) psig[0].flags |= 0x08 _lib.OPENSSL_free(result_buffer[0]) palg[0].algorithm = _lib.OBJ_nid2obj(_lib.OBJ_sn2nid(signature_algorithm)) csr_pem_str = dump_certificate_request(FILETYPE_PEM, req) return csr_pem_str
def _add_sans(self): """ Adds Subject Alternate names for the certificate based on the server's current IP address and DNS name """ current_ip = X509Cert.get_current_ip() current_dns_name = socket.gethostbyaddr(current_ip)[0] current_hostname = socket.gethostname() sans = set() for dns_name in [socket.getfqdn(), current_dns_name, current_hostname]: sans.add("DNS:*.{}".format(dns_name)) sans.add("DNS:{}".format(dns_name)) sans = list(sans) self.add_extensions([ X509Extension("subjectAltName".encode("utf-8"), critical=False, value=",".join(sans).encode("utf-8")) ])
def assert_has_extension(test, credential, name, value): """ Assert that the ``X509Extension`` with the matching name from the certificate has the given value. :param TestCase test: The current test. :param FlockerCredential certificate: Credential whose certificate we should inspect. :param bytes name: The name of the extension. :param bytes value: The data encoded in the extension. :raises AssertionError: If the extension is not found or has the wrong value. """ expected = X509Extension(name, False, value) x509 = credential.certificate.original values = [] for i in range(x509.get_extension_count()): extension = x509.get_extension(i) if extension.get_short_name() == name: values.append(extension.get_data()) test.assertIn(expected.get_data(), values)
def __init__(self, rsa_key, country, state, locality, org, cn, issuer=None): """ :param rsa_key: Corresponding key for the certificate :param country: Cert country :param state: Cert state :param locality: Cert locality :param org: Cert organization :param cn: Cert common name :param issuer: OpenSSL.crypto.X509Name for the certificate issuer """ super().__init__() self.set_pubkey(rsa_key) self.set_notBefore(X509Cert.get_now()) self.set_notAfter(X509Cert.get_year_from_now()) self.set_serial_number(int.from_bytes(os.urandom(8), "big")) crt_subject = self.get_subject() crt_subject.C = country crt_subject.ST = state crt_subject.L = locality crt_subject.O = org crt_subject.CN = cn if issuer is None: issuer = crt_subject self.add_extensions([ X509Extension("basicConstraints".encode("utf-8"), critical=True, value="CA:TRUE".encode("utf-8")) ]) self.set_issuer(issuer) self._add_sans()
def _createCertificateKey(serial, CN, starttime, endtime, dump_cert_path, dump_key_path, issuerCert=None, issuerKey=None, key_type=TYPE_RSA, key_bits=1024, digest="sha256"): """Generate a certificate given a certificate request. 'serial' is the serial number for the certificate 'CN' is the subject common name of the certificate. 'starttime' is the timestamp when the certificate starts being valid. 0 means now. 'endtime' is the timestamp when the certificate stops being valid 'dump_cert_path' is the file the generated certificate gets dumped. 'dump_key_path' is the file the generated key gets dumped. 'issuerCert' is the certificate object of the issuer. 'issuerKey' is the key object of the issuer. 'key_type' is the key type. allowed value: TYPE_RSA and TYPE_DSA. 'key_bits' is number of bits to use in the key. 'digest' is the digestion method to use for signing. """ key = PKey() key.generate_key(key_type, key_bits) cert = X509() cert.set_serial_number(serial) cert.gmtime_adj_notBefore(starttime) cert.gmtime_adj_notAfter(endtime) cert.get_subject().C = "US" cert.get_subject().ST = "California" cert.get_subject().L = "Santa Clara" cert.get_subject().O = "pkg5" cert.set_pubkey(key) # If a issuer is specified, set the issuer. otherwise set cert # itself as a issuer. if issuerCert: cert.get_subject().CN = CN cert.set_issuer(issuerCert.get_subject()) else: cert.get_subject().CN = "Depot Test CA" cert.set_issuer(cert.get_subject()) # If there is a issuer key, sign with that key. Otherwise, # create a self-signed cert. # Cert requires bytes. if issuerKey: cert.add_extensions( [X509Extension(b"basicConstraints", True, b"CA:FALSE")]) cert.sign(issuerKey, digest) else: cert.add_extensions( [X509Extension(b"basicConstraints", True, b"CA:TRUE")]) cert.sign(key, digest) with open(dump_cert_path, "wb") as f: f.write(dump_certificate(FILETYPE_PEM, cert)) with open(dump_key_path, "wb") as f: f.write(dump_privatekey(FILETYPE_PEM, key)) return (cert, key)
def add_default_extensions(cert, issuer): ext = list() ext.append(X509Extension(b'basicConstraints', critical=True, value=b'CA:FALSE')) ext.append(X509Extension(b'subjectKeyIdentifier', critical=False, value=b'hash', subject=cert)) ext.append(X509Extension(b'authorityKeyIdentifier', critical=False, value=b'keyid:always', issuer=issuer, subject=issuer)) cert.add_extensions(ext)
def signReqCA(CA_path, CSR_path, password, csr_type='usr'): ''' Signs the CSR. Returns bytes of (Chain of trust, Issued Certificate) if csr_type == 'ca' Returns bytes of (Issued Certificate) if csr_type == 'usr' or 'svr' CA_path : path of the directory of CA which will sign the request. * DIRECTORY IN CA PATH MUST BE THE ONE GENERATED USING OpenCA * ''' if not is_serial_consistent(CA_path): raise SerialException( 'Serial sequence mismatched, Serial is corrupted') engine = getDB(CA_path) Session = sessionmaker(bind=engine) session = Session() CA_name = path.split(CA_path)[1] # load certifiate of the CA CAcert_bytes = open( path.join(path.abspath(CA_path), 'certs', (CA_name + '.cert.pem')), 'rb').read() CAcert = load_certificate(FILETYPE_PEM, CAcert_bytes) password = bytes(password, 'utf-8') if isinstance(password, str) else password # load privatekey of the CA. CAkey_bytes = open( path.join(path.abspath(CA_path), 'private', (CA_name + '.private.pem')), 'rb').read() CAkey = load_privatekey(FILETYPE_PEM, CAkey_bytes, passphrase=password) # determine if the request is for a CA if csr_type == 'ca': SUBCA_name = path.split(CSR_path)[1] SUBCA_dir = CSR_path[:] CSR_path = path.join(path.abspath(CSR_path), 'csr', (SUBCA_name + '.csr.pem')) # load the CSR. CSR_bytes = open(CSR_path, 'rb').read() CSR = load_certificate_request(FILETYPE_PEM, CSR_bytes) if CAcert.get_subject().CN == CSR.get_subject().CN: raise CNException('CN can not be same as parent') cert = X509() cert.set_subject(CSR.get_subject()) # Get the last serial number and dump it in serial.old # Increment the serial number and save it in serial # give the incremented serial number here serial = open(path.join(CA_path, 'serial'), 'rb').read() cert.set_serial_number(int(serial)) open(path.join(CA_path, 'serial.old'), 'wb').write(serial) open(path.join(CA_path, 'serial'), 'wb').write(bytes(str(int(serial) + 1), 'utf-8')) cert.gmtime_adj_notBefore(0) if csr_type == 'ca': cert.gmtime_adj_notAfter(5 * 365 * 24 * 60 * 60) cert.add_extensions([ X509Extension(b"basicConstraints", True,b"CA:TRUE, pathlen:0"),\ X509Extension(b"keyUsage", True,b"keyCertSign, cRLSign"),\ X509Extension(b"authorityKeyIdentifier", False, b"keyid:always",issuer= CAcert),\ X509Extension(b"subjectKeyIdentifier", False, b"hash",subject=cert)]) elif csr_type == 'usr': cert.gmtime_adj_notAfter(1 * 365 * 24 * 60 * 60) cert.add_extensions([ X509Extension(b"basicConstraints",True,b"CA:FALSE"),\ X509Extension(b"nsCertType",False,b"client, email"),\ X509Extension(b"nsComment",False, b"Certified Using OpenSSL based OpenCA"),\ X509Extension(b"subjectKeyIdentifier",False,b"hash",subject=cert),\ X509Extension(b"authorityKeyIdentifier",False, b"keyid", issuer= CAcert),\ X509Extension(b"keyUsage",True,b"nonRepudiation, digitalSignature, keyEncipherment"),\ X509Extension(b"extendedKeyUsage", False, b"clientAuth, emailProtection")]) elif csr_type == 'svr': cert.gmtime_adj_notAfter(2 * 365 * 24 * 60 * 30) cert.add_extensions([ X509Extension(b"basicConstraints",True,b"CA:FALSE"),\ X509Extension(b"nsCertType",False,b"server"),\ X509Extension(b"nsComment",False, b"Certified Using OpenSSL based OpenCA"),\ X509Extension(b"subjectKeyIdentifier",False,b"hash",subject=cert),\ X509Extension(b"authorityKeyIdentifier",False, b"keyid", issuer=CAcert),\ X509Extension(b"keyUsage",True,b"nonRepudiation, digitalSignature, keyEncipherment"),\ X509Extension(b"extendedKeyUsage", False, b"serverAuth")]) cert.set_issuer(CAcert.get_subject()) cert.set_pubkey(CSR.get_pubkey()) cert.sign(CAkey, "sha256") # Save the signed certificate's information in the index.db clist = [] for i in cert.get_subject().get_components(): clist.append(i[0] + b'=' + i[1]) cstring = b'/'.join(clist) cstring = b'/' + cstring + b'/' IndexObj = Index(expiration_date=cert.get_notAfter(), serial_number_in_hex=str(serial), cert_filename=serial.decode('utf-8') + '.cert.pem', cert_subject=cstring) session.add(IndexObj) session.commit() # save the certificates in newcerts directory of the CA cert_bytes = dump_certificate(FILETYPE_PEM, cert) open( path.join(path.abspath(CA_path), 'newcerts', (serial.decode('utf-8') + '.cert.pem')), 'wb').write(cert_bytes) if csr_type == 'ca': # If csr_type is 'ca' then save the chain of trust and it's certificate if path.exists( path.join(path.abspath(CA_path), 'certs', (CA_name + '.chain.pem'))): # If CA has a chain then forward that chain further CAcert_bytes = open( path.join(path.abspath(CA_path), 'certs', (CA_name + '.chain.pem')), 'rb').read() open( path.join(path.abspath(SUBCA_dir), 'certs', (SUBCA_name + '.cert.pem')), 'wb').write(cert_bytes) open( path.join(path.abspath(SUBCA_dir), 'certs', (SUBCA_name + '.chain.pem')), 'wb').write(cert_bytes + CAcert_bytes) return (cert_bytes + CAcert_bytes), cert_bytes else: print( 'Certificate Produced @ ', path.join(path.abspath(path.split(CSR_path)[0]), 'USER.cert.pem')) if csr_type == 'usr': open( path.join(path.abspath(path.split(CSR_path)[0]), 'USER.cert.pem'), 'wb').write(cert_bytes) elif csr_type == 'svr': open( path.join(path.abspath(path.split(CSR_path)[0]), 'SERVER.cert.pem'), 'wb').write(cert_bytes) return cert_bytes
def generate_new_certificate(ca_cert_path, username, is_ca_generation_request=False, ip=None): try: if not is_ca_generation_request: ca = get_certificate(ca_cert_path) if not ca: log.warn("CA with key {} not found in redis".format(ca_cert_path)) return None ca_key = load_privatekey(FILETYPE_PEM, base64.b64decode(ca.get('k').encode('ascii'))) cert_authority = load_certificate(FILETYPE_PEM, base64.b64decode(ca.get('c').encode('ascii'))) client_key = PKey() client_key.generate_key(TYPE_RSA, 4096) x509 = X509() x509.set_version(2) x509.set_serial_number(random.randint(0,100000000)) client_subj = x509.get_subject() client_subj.commonName = username ca_extension = X509Extension("basicConstraints", False, "CA:FALSE") key_usage = X509Extension("keyUsage", True, "digitalSignature") if username == 'kubernetes-apiserver': san_list = ['IP:{}'.format(ip), 'DNS:kubernetes', 'DNS:kubernetes.default', 'DNS:kubernetes.default.svc', 'DNS:kubernetes.default.svc.cluster', 'DNS:kubernetes.svc.cluster.local'] x509.add_extensions([ ca_extension, X509Extension("subjectKeyIdentifier", False, "hash", subject=x509), X509Extension("extendedKeyUsage", True, "clientAuth"), X509Extension("subjectAltName", False, ', '.join(san_list).encode()), key_usage ]) else: x509.add_extensions([ ca_extension, X509Extension("subjectKeyIdentifier", False, "hash", subject=x509), X509Extension("extendedKeyUsage", True, "clientAuth"), key_usage ]) x509.set_issuer(cert_authority.get_subject()) x509.set_pubkey(client_key) x509.gmtime_adj_notBefore(0) # default certificate validity is 1 year x509.gmtime_adj_notAfter(1*365*24*60*60 - 1) x509.sign(ca_key, 'sha256') else: client_key = PKey() client_key.generate_key(TYPE_RSA, 4096) x509 = X509() x509.set_version(2) x509.set_serial_number(random.randint(0,100000000)) client_subj = x509.get_subject() client_subj.commonName = username ca_extension = X509Extension("basicConstraints", True, "CA:TRUE, pathlen:0") key_usage = X509Extension("keyUsage", False, "cRLSign,digitalSignature,keyCertSign") x509.add_extensions([ ca_extension, X509Extension("subjectKeyIdentifier", False, "hash", subject=x509), X509Extension("extendedKeyUsage", True, "clientAuth"), key_usage ]) x509.set_issuer(client_subj) x509.set_pubkey(client_key) x509.gmtime_adj_notBefore(0) # default certificate validity is 1 year x509.gmtime_adj_notAfter(1*365*24*60*60 - 1) x509.sign(client_key, 'sha256') b64_cert = base64.b64encode(dump_certificate(FILETYPE_PEM, x509).encode('ascii')).decode('ascii') b64_key = base64.b64encode(dump_privatekey(FILETYPE_PEM, client_key).encode('ascii')).decode('ascii') return {"f": mTLS._get_digest(dump_certificate(FILETYPE_PEM, x509)), "c": b64_cert, "k": b64_key} except Exception as e: print "Exception: {}".format(e) return None
ca = X509() ca.get_subject().commonName = "Bunchy McX" ca.get_subject().emailAddress = "*****@*****.**" ca.set_serial_number(1) ca.gmtime_adj_notBefore(0) ca.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60) ca.set_issuer(ca.get_subject()) ca.set_pubkey(ca_key) ca.add_extensions([ X509Extension("basicConstraints", True, "CA:TRUE, pathlen:0"), X509Extension("keyUsage", True, "keyCertSign, cRLSign"), X509Extension("subjectKeyIdentifier", False, "hash", subject=ca) ]) ca.add_extensions([ X509Extension("authorityKeyIdentifier", False, "keyid:always", issuer=ca) ]) f = open("CA.cert", "w") f.write(dump_certificate(FILETYPE_PEM, ca)) f.close() host_key = PKey() host_key.generate_key(TYPE_RSA, 2048)