def _generate_ca(self):
# Crea KEY de tipo RSA
self.key = PKey()
self.key.generate_key(TYPE_RSA, 2048)
# Crea Certificado X509
self.cert = X509()
self.cert.set_version(3)
# Le puse 10000 no se por que
self.cert.set_serial_number(1)
self.cert.get_subject().CN = 'ca.proxymitm.com'
self.cert.gmtime_adj_notBefore(0)
#Tiempo de duracion del certificado
self.cert.gmtime_adj_notAfter(315360000)
self.cert.set_issuer(self.cert.get_subject())
self.cert.set_pubkey(self.key)
#Atributos del ceriticado
self.cert.add_extensions([
X509Extension("basicConstraints", True, "CA:TRUE, pathlen:0"),
X509Extension("keyUsage", True, "keyCertSign, cRLSign"),
X509Extension("subjectKeyIdentifier",
False,
"hash",
subject=self.cert),
])
self.cert.sign(self.key, "sha256")
with open(self.ca_file, 'wb+') as f:
f.write(dump_privatekey(FILETYPE_PEM, self.key))
f.write(dump_certificate(FILETYPE_PEM, self.cert))
def _generate_ca(self):
'''
This function generates the certificate authority file
'''
# Generate key
self.key = PKey()
self.key.generate_key(TYPE_RSA, 2048)
# Generate certificate
self.cert = X509()
self.cert.set_version(3)
self.cert.set_serial_number(1)
self.cert.get_subject().CN = 'ca.mitm.com'
self.cert.gmtime_adj_notBefore(0)
self.cert.gmtime_adj_notAfter(315360000)
self.cert.set_issuer(self.cert.get_subject())
self.cert.set_pubkey(self.key)
self.cert.add_extensions([
X509Extension("basicConstraints", True, "CA:TRUE, pathlen:0"),
X509Extension("keyUsage", True, "keyCertSign, cRLSign"),
X509Extension("subjectKeyIdentifier",
False,
"hash",
subject=self.cert),
])
self.cert.sign(self.key, "sha1")
with open(self.ca_file, 'wb+') as f:
f.write(dump_privatekey(FILETYPE_PEM, self.key))
f.write(dump_certificate(FILETYPE_PEM, self.cert))
def sign_host_csr(self, certificate_request, ip):
# type: (crypto.X509Req, str) -> crypto.X509
#TODO#55: This is SO SO SO bad.
# Every time the remote needs to sign a cert, it reads them off disk?
# jesus christ that's poorly written prototype shit.
my_key = crypto.load_privatekey(crypto.FILETYPE_PEM, open(self.nebr_instance.get_key_file(), 'rt').read())
my_crt = crypto.load_certificate(crypto.FILETYPE_PEM, open(self.nebr_instance.get_cert_file(), 'rt').read())
not_after = 60 * 60 * 24 * 365 * 1 # one year, totally arbitrary
cert = crypto.X509()
cert.set_version(2)
epoch = datetime.utcfromtimestamp(0)
now = datetime.utcnow()
total_seconds = int((now - epoch).total_seconds())
cert.set_serial_number(total_seconds) # todo: Add some method for actually tracking serial numbers
cert.gmtime_adj_notBefore(0) # these values are seconds from the moment of signing
cert.gmtime_adj_notAfter(not_after) # these values are seconds from the moment of signing
cert.set_issuer(my_crt.get_subject())
cert.set_subject(certificate_request.get_subject())
cert.set_pubkey(certificate_request.get_pubkey())
basic = X509Extension(b'basicConstraints', False, b'CA:false')
alt = X509Extension(b'subjectAltName', False, b'IP.1:{}'.format(ip))
cert.add_extensions([basic, alt])
cert.sign(my_key, 'sha256')
return cert
def create_dummy_certificate(certname,keyname,_dir, force=False) -> bool:
if certname and keyname and _dir:
if path.exists(_dir+keyname) and path.exists(_dir+certname) and not force:
return True
else:
if path.exists(_dir+certname):
remove(_dir+certname)
if path.exists(_dir+keyname):
remove(_dir+keyname)
key = PKey()
key.generate_key(TYPE_RSA, 4096)
cert = X509()
cert.set_serial_number(uuid4().int)
cert.set_version(2)
cert.get_subject().C = "US"
cert.get_subject().ST = "WA"
cert.get_subject().L = "127.0.0.1"
cert.get_subject().O = "github.com/qeeqbox/analyzer"
cert.get_subject().OU = "github.com/qeeqbox/analyzer"
cert.get_subject().CN = "auto generated self signed certificate by qeeqbox/analyzer"
cert.gmtime_adj_notBefore(-60 * 60 * 24 * 365 * 2)
cert.gmtime_adj_notAfter(60 * 60 * 24 * 365 * 2)
cert.set_issuer(cert.get_subject())
cert.set_pubkey(key)
cert.add_extensions([X509Extension(b"basicConstraints", True, b"CA:TRUE, pathlen:0"),
X509Extension(b"keyUsage", True, b"keyCertSign, cRLSign"),
X509Extension(b"subjectKeyIdentifier", False, b"hash", subject=cert),])
cert.sign(key, 'sha256')
with open(_dir+certname, 'wb') as f:
f.write(dump_certificate(FILETYPE_PEM, cert))
with open(_dir+keyname, 'wb') as f:
f.write(dump_privatekey(FILETYPE_PEM, key))
return True
return False
def _gen_ca(self, again=False):
# Generate key
if os.path.exists(self.ca_file_path) and os.path.exists(
self.cert_file_path) and not again:
self._read_ca(self.ca_file_path)
return
self.key = PKey()
self.key.generate_key(TYPE_RSA, 2048)
# Generate certificate
self.cert = X509()
self.cert.set_version(2)
self.cert.set_serial_number(1)
self.cert.get_subject().CN = 'CachingProxy'
self.cert.gmtime_adj_notBefore(0)
self.cert.gmtime_adj_notAfter(315360000)
self.cert.set_issuer(self.cert.get_subject())
self.cert.set_pubkey(self.key)
self.cert.add_extensions([
X509Extension(b"basicConstraints", True, b"CA:TRUE, pathlen:0"),
X509Extension(b"keyUsage", True, b"keyCertSign, cRLSign"),
X509Extension(b"subjectKeyIdentifier",
False,
b"hash",
subject=self.cert),
])
self.cert.sign(self.key, "sha256")
with open(self.ca_file_path, 'wb+') as f:
f.write(dump_privatekey(FILETYPE_PEM, self.key))
f.write(dump_certificate(FILETYPE_PEM, self.cert))
with open(self.cert_file_path, 'wb+') as f:
f.write(dump_certificate(FILETYPE_PEM, self.cert))
def _generate_ca(self):
# Generate key
self.key = PKey()
self.key.generate_key(TYPE_RSA, 2048)
# Generate certificate
self.cert = X509()
self.cert.set_version(3)
self.cert.set_serial_number(1)
self.cert.get_subject().CN = 'Namecoin .bit proxy'
self.cert.gmtime_adj_notBefore(0)
self.cert.gmtime_adj_notAfter(315360000)
self.cert.set_issuer(self.cert.get_subject())
self.cert.set_pubkey(self.key)
self.cert.add_extensions([
X509Extension("basicConstraints", True, "CA:TRUE, pathlen:0"),
X509Extension("keyUsage", True, "keyCertSign, cRLSign"),
X509Extension("subjectKeyIdentifier",
False,
"hash",
subject=self.cert),
])
self.cert.sign(self.key, "sha256")
with open(self.ca_file, 'wb+') as f:
f.write(dump_privatekey(self.filetype, self.key))
f.write(dump_certificate(self.filetype, self.cert))
# export for Windows
with open("ca.crt", 'wb+') as f:
f.write(dump_certificate(self.filetype, self.cert))
def create_self_signed_root_cert(pk, dn):
csr = create_cert_req(pk, dn)
x = create_certificate_from_csr(csr, csr)
ext = list()
ext.append(X509Extension(b'basicConstraints', critical=True, value=b'CA:TRUE'))
ext.append(X509Extension(b'subjectKeyIdentifier', critical=False, value=b'hash', subject=x))
x.add_extensions(ext)
# XXX: Thanks to https://github.com/Eichhoernchen/SiriServerCore for struggling with this before
x.add_extensions((X509Extension(b'authorityKeyIdentifier', critical=False, value=b'keyid:always', issuer=x),))
x.sign(pk, 'SHA256')
return x
def make_cert(filename, cacert=None, cakey=None):
key = PKey()
key.generate_key(TYPE_RSA, 2048)
cert = X509()
subject = cert.get_subject()
subject.C = b"TR"
subject.ST = b"Çorum"
subject.L = b"Başmakçı"
subject.CN = b"localhost"
subject.O = b"Mozilla Test"
subject.OU = b"Autopush Test %s" % filename
subject.emailAddress = b"*****@*****.**"
subjectAltName = X509Extension(b'subjectAltName', False, b'DNS:localhost')
cert.add_extensions([subjectAltName])
cert.set_serial_number(uuid.uuid4().int)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(60 * 60 * 24 * 365 * 100)
cert.set_pubkey(key)
if not cacert:
# self sign
cacert = cert
cakey = key
cert.set_issuer(cacert.get_subject())
cert.sign(cakey, 'sha1')
with open(filename, 'wb') as fp:
fp.write(dump_privatekey(FILETYPE_PEM, key))
fp.write(dump_certificate(FILETYPE_PEM, cert))
return cert, key
def _sign_ca(self, cn, cnp):
# 使用合法的CA证书为代理程序生成服务器证书
# create certificate
try:
key = PKey()
key.generate_key(TYPE_RSA, 2048)
# Generate CSR
req = X509Req()
req.get_subject().CN = cn
req.set_pubkey(key)
req.sign(key, 'sha256')
# Sign CSR
cert = X509()
cert.set_version(2)
cert.set_subject(req.get_subject())
cert.set_serial_number(self.serial)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(31536000)
cert.set_issuer(self.cert.get_subject())
ss = ("DNS:%s" % cn).encode(encoding="utf-8")
cert.add_extensions([X509Extension(b"subjectAltName", False, ss)])
cert.set_pubkey(req.get_pubkey())
cert.sign(self.key, 'sha256')
with open(cnp, 'wb+') as f:
f.write(dump_privatekey(FILETYPE_PEM, key))
f.write(dump_certificate(FILETYPE_PEM, cert))
except Exception as e:
raise Exception("generate CA fail:{}".format(str(e)))
def _generate_ca_given_key(self, key):
cert = X509()
cert.set_version(3)
cert.set_serial_number(1)
cert.get_subject().CN = 'ca.mitm.com'
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(315360000)
cert.set_issuer(cert.get_subject())
cert.set_pubkey(self.key)
cert.add_extensions([
X509Extension("basicConstraints", True, "CA:TRUE, pathlen:0"),
X509Extension("keyUsage", True, "keyCertSign, cRLSign"),
X509Extension("subjectKeyIdentifier", False, "hash", subject=cert),
])
cert.sign(self.key, "sha1")
return cert
def get_user_id(private_key, cert_path):
if os.path.exists(private_key):
with open(private_key) as fd:
key = load_privatekey(FILETYPE_PEM, fd.read())
if key.bits() != 1024:
os.unlink(private_key)
else:
user_id = get_service_id(private_key)
if not os.path.exists(private_key):
if os.path.exists(cert_path):
os.unlink(cert_path)
folder = os.path.dirname(private_key)
if not os.path.exists(folder):
os.makedirs(folder)
os.chmod(folder, 0o700)
key = PKey()
key.generate_key(TYPE_RSA, 1024)
with open(private_key, 'wb') as fd:
os.chmod(private_key, 0o600)
fd.write(dump_privatekey(FILETYPE_PEM, key))
os.chmod(private_key, 0o400)
user_id = get_service_id(private_key)
if not os.path.exists(cert_path):
ca = X509()
ca.set_version(2)
ca.set_serial_number(1)
ca.get_subject().CN = user_id
ca.gmtime_adj_notBefore(0)
ca.gmtime_adj_notAfter(24 * 60 * 60)
ca.set_issuer(ca.get_subject())
ca.set_pubkey(key)
ca.add_extensions([
X509Extension(b"basicConstraints", True, b"CA:TRUE, pathlen:0"),
X509Extension(b"nsCertType", True, b"sslCA"),
X509Extension(
b"extendedKeyUsage", True,
b"serverAuth,clientAuth,emailProtection,timeStamping,msCodeInd,msCodeCom,msCTLSign,msSGC,msEFS,nsSGC"
),
X509Extension(b"keyUsage", False, b"keyCertSign, cRLSign"),
X509Extension(b"subjectKeyIdentifier", False, b"hash", subject=ca),
])
ca.sign(key, "sha256")
with open(cert_path, 'wb') as fd:
fd.write(dump_certificate(FILETYPE_PEM, ca))
return user_id
def create_self_signed_cert(cert_file_path):
private_key_path = re.sub(r".(pem|crt)$",
".key",
cert_file_path,
flags=re.IGNORECASE)
# create public/private key
key = PKey()
key.generate_key(TYPE_RSA, 2048)
# Self-signed cert
cert = X509()
#subject = X509Name(cert.get_subject())
subject = cert.get_subject()
subject.CN = 'localhost'
subject.O = 'XYZ Widgets Inc'
subject.OU = 'IT Department'
subject.L = 'Seattle'
subject.ST = 'Washington'
subject.C = 'US'
subject.emailAddress = '*****@*****.**'
cert.set_version(2)
cert.set_issuer(subject)
cert.set_subject(subject)
#cert.set_serial_number(int(os.urandom(16).encode('hex'),16))
cert.set_serial_number(int(rand.bytes(16).encode('hex'), 16))
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(31536000)
cert.set_pubkey(key)
cert.add_extensions([
X509Extension("basicConstraints", True, "CA:TRUE, pathlen:0"),
X509Extension("keyUsage", True, "keyCertSign, cRLSign"),
X509Extension("subjectKeyIdentifier", False, "hash", subject=cert),
])
cert.sign(key, 'sha256')
with open(cert_file_path, 'wb+') as f:
f.write(dump_certificate(FILETYPE_PEM, cert))
with open(private_key_path, 'wb+') as f:
f.write(dump_privatekey(FILETYPE_PEM, key))
def sign_ca_cert(key, requestObject, dn):
from OpenSSL.crypto import X509, X509Extension
from twisted.internet.ssl import Certificate
req = requestObject.original
cert = X509()
dn._copyInto(cert.get_issuer())
cert.set_subject(req.get_subject())
cert.set_pubkey(req.get_pubkey())
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(60 * 60)
cert.set_serial_number(1)
cert.add_extensions([
X509Extension(b"basicConstraints", True, b"CA:TRUE"),
# Not necessarily a good way to populate subjectAltName but it
# quiets the deprecation warning we get from service_identity.
X509Extension(b"subjectAltName", True, b"DNS:" + dn.commonName),
])
cert.sign(key.original, "sha256")
return Certificate(cert)
def create_self_certificate(pk, subject_dict,expiry =10*365*24*60*60): cert = X509() subject = cert.get_subject() subject = setSubject(subject,subject_dict) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(expiry) cert.set_issuer(cert.get_subject()) cert.set_pubkey(pk) cert.add_extensions([ X509Extension(b"basicConstraints", True,b"CA:TRUE"),\ X509Extension(b"keyUsage", True,b"keyCertSign, cRLSign"),\ X509Extension(b"subjectKeyIdentifier", False, b"hash",subject=cert)]) cert.sign(pk, 'sha256') # dump the certificate in path cert_bytes = dump_certificate(FILETYPE_PEM,cert) return cert_bytes
def get_csr(client, key_id, key_version_id, subject_name, domain,
kms_algorithm, signature_algorithm):
clear_text_public_key_pem = get_public_key(client, key_id, key_version_id)
# kms get_public_key
pkey = load_publickey(FILETYPE_PEM, clear_text_public_key_pem)
req = X509Req()
req.set_pubkey(pkey)
req.get_subject().CN = subject_name.get('CN')
req.get_subject().C = subject_name.get('C')
req.get_subject().O = subject_name.get('O')
req.set_version(0)
# addExtensions
req.add_extensions([
X509Extension(b'subjectAltName', False,
','.join(domain).encode('ascii'))
])
result_buffer = _ffi.new('unsigned char**')
encode_result = _lib.i2d_re_X509_REQ_tbs(req._req, result_buffer)
md_length = _ffi.new("unsigned int *")
md = _ffi.new("unsigned char[]", 32)
evp_md = _lib.EVP_get_digestbyname(b"sha256")
md_ctx = _lib.Cryptography_EVP_MD_CTX_new()
md_ctx = _ffi.gc(md_ctx, _lib.Cryptography_EVP_MD_CTX_free)
_lib.EVP_DigestInit_ex(md_ctx, evp_md, _ffi.NULL)
_lib.EVP_DigestUpdate(md_ctx, result_buffer[0], encode_result)
_lib.EVP_DigestFinal_ex(md_ctx, md, md_length)
psig = _ffi.new("ASN1_BIT_STRING **")
palg = _ffi.new("X509_ALGOR **")
_lib.X509_REQ_get0_signature(req._req, psig, palg)
# kms_sign
sign_data = kms_sign(client, key_id, key_version_id, kms_algorithm,
bytes(md))
_lib.ASN1_STRING_set(psig[0], sign_data, len(sign_data))
psig[0].flags &= ~(0x08 | 0x07)
psig[0].flags |= 0x08
_lib.OPENSSL_free(result_buffer[0])
palg[0].algorithm = _lib.OBJ_nid2obj(_lib.OBJ_sn2nid(signature_algorithm))
csr_pem_str = dump_certificate_request(FILETYPE_PEM, req)
return csr_pem_str
def _add_sans(self):
"""
Adds Subject Alternate names for the certificate based on the
server's current IP address and DNS name
"""
current_ip = X509Cert.get_current_ip()
current_dns_name = socket.gethostbyaddr(current_ip)[0]
current_hostname = socket.gethostname()
sans = set()
for dns_name in [socket.getfqdn(), current_dns_name, current_hostname]:
sans.add("DNS:*.{}".format(dns_name))
sans.add("DNS:{}".format(dns_name))
sans = list(sans)
self.add_extensions([
X509Extension("subjectAltName".encode("utf-8"),
critical=False,
value=",".join(sans).encode("utf-8"))
])
def assert_has_extension(test, credential, name, value):
"""
Assert that the ``X509Extension`` with the matching name from the
certificate has the given value.
:param TestCase test: The current test.
:param FlockerCredential certificate: Credential whose certificate we
should inspect.
:param bytes name: The name of the extension.
:param bytes value: The data encoded in the extension.
:raises AssertionError: If the extension is not found or has the wrong
value.
"""
expected = X509Extension(name, False, value)
x509 = credential.certificate.original
values = []
for i in range(x509.get_extension_count()):
extension = x509.get_extension(i)
if extension.get_short_name() == name:
values.append(extension.get_data())
test.assertIn(expected.get_data(), values)
def __init__(self,
rsa_key,
country,
state,
locality,
org,
cn,
issuer=None):
"""
:param rsa_key: Corresponding key for the certificate
:param country: Cert country
:param state: Cert state
:param locality: Cert locality
:param org: Cert organization
:param cn: Cert common name
:param issuer: OpenSSL.crypto.X509Name for the certificate issuer
"""
super().__init__()
self.set_pubkey(rsa_key)
self.set_notBefore(X509Cert.get_now())
self.set_notAfter(X509Cert.get_year_from_now())
self.set_serial_number(int.from_bytes(os.urandom(8), "big"))
crt_subject = self.get_subject()
crt_subject.C = country
crt_subject.ST = state
crt_subject.L = locality
crt_subject.O = org
crt_subject.CN = cn
if issuer is None:
issuer = crt_subject
self.add_extensions([
X509Extension("basicConstraints".encode("utf-8"),
critical=True,
value="CA:TRUE".encode("utf-8"))
])
self.set_issuer(issuer)
self._add_sans()
def _createCertificateKey(serial,
CN,
starttime,
endtime,
dump_cert_path,
dump_key_path,
issuerCert=None,
issuerKey=None,
key_type=TYPE_RSA,
key_bits=1024,
digest="sha256"):
"""Generate a certificate given a certificate request.
'serial' is the serial number for the certificate
'CN' is the subject common name of the certificate.
'starttime' is the timestamp when the certificate starts
being valid. 0 means now.
'endtime' is the timestamp when the certificate stops being
valid
'dump_cert_path' is the file the generated certificate gets dumped.
'dump_key_path' is the file the generated key gets dumped.
'issuerCert' is the certificate object of the issuer.
'issuerKey' is the key object of the issuer.
'key_type' is the key type. allowed value: TYPE_RSA and TYPE_DSA.
'key_bits' is number of bits to use in the key.
'digest' is the digestion method to use for signing.
"""
key = PKey()
key.generate_key(key_type, key_bits)
cert = X509()
cert.set_serial_number(serial)
cert.gmtime_adj_notBefore(starttime)
cert.gmtime_adj_notAfter(endtime)
cert.get_subject().C = "US"
cert.get_subject().ST = "California"
cert.get_subject().L = "Santa Clara"
cert.get_subject().O = "pkg5"
cert.set_pubkey(key)
# If a issuer is specified, set the issuer. otherwise set cert
# itself as a issuer.
if issuerCert:
cert.get_subject().CN = CN
cert.set_issuer(issuerCert.get_subject())
else:
cert.get_subject().CN = "Depot Test CA"
cert.set_issuer(cert.get_subject())
# If there is a issuer key, sign with that key. Otherwise,
# create a self-signed cert.
# Cert requires bytes.
if issuerKey:
cert.add_extensions(
[X509Extension(b"basicConstraints", True, b"CA:FALSE")])
cert.sign(issuerKey, digest)
else:
cert.add_extensions(
[X509Extension(b"basicConstraints", True, b"CA:TRUE")])
cert.sign(key, digest)
with open(dump_cert_path, "wb") as f:
f.write(dump_certificate(FILETYPE_PEM, cert))
with open(dump_key_path, "wb") as f:
f.write(dump_privatekey(FILETYPE_PEM, key))
return (cert, key)
def add_default_extensions(cert, issuer):
ext = list()
ext.append(X509Extension(b'basicConstraints', critical=True, value=b'CA:FALSE'))
ext.append(X509Extension(b'subjectKeyIdentifier', critical=False, value=b'hash', subject=cert))
ext.append(X509Extension(b'authorityKeyIdentifier', critical=False, value=b'keyid:always', issuer=issuer, subject=issuer))
cert.add_extensions(ext)
def signReqCA(CA_path, CSR_path, password, csr_type='usr'):
'''
Signs the CSR.
Returns bytes of (Chain of trust, Issued Certificate) if csr_type == 'ca'
Returns bytes of (Issued Certificate) if csr_type == 'usr' or 'svr'
CA_path : path of the directory of CA which will sign the request.
* DIRECTORY IN CA PATH MUST BE THE ONE GENERATED USING OpenCA *
'''
if not is_serial_consistent(CA_path):
raise SerialException(
'Serial sequence mismatched, Serial is corrupted')
engine = getDB(CA_path)
Session = sessionmaker(bind=engine)
session = Session()
CA_name = path.split(CA_path)[1]
# load certifiate of the CA
CAcert_bytes = open(
path.join(path.abspath(CA_path), 'certs', (CA_name + '.cert.pem')),
'rb').read()
CAcert = load_certificate(FILETYPE_PEM, CAcert_bytes)
password = bytes(password, 'utf-8') if isinstance(password,
str) else password
# load privatekey of the CA.
CAkey_bytes = open(
path.join(path.abspath(CA_path), 'private',
(CA_name + '.private.pem')), 'rb').read()
CAkey = load_privatekey(FILETYPE_PEM, CAkey_bytes, passphrase=password)
# determine if the request is for a CA
if csr_type == 'ca':
SUBCA_name = path.split(CSR_path)[1]
SUBCA_dir = CSR_path[:]
CSR_path = path.join(path.abspath(CSR_path), 'csr',
(SUBCA_name + '.csr.pem'))
# load the CSR.
CSR_bytes = open(CSR_path, 'rb').read()
CSR = load_certificate_request(FILETYPE_PEM, CSR_bytes)
if CAcert.get_subject().CN == CSR.get_subject().CN:
raise CNException('CN can not be same as parent')
cert = X509()
cert.set_subject(CSR.get_subject())
# Get the last serial number and dump it in serial.old
# Increment the serial number and save it in serial
# give the incremented serial number here
serial = open(path.join(CA_path, 'serial'), 'rb').read()
cert.set_serial_number(int(serial))
open(path.join(CA_path, 'serial.old'), 'wb').write(serial)
open(path.join(CA_path, 'serial'),
'wb').write(bytes(str(int(serial) + 1), 'utf-8'))
cert.gmtime_adj_notBefore(0)
if csr_type == 'ca':
cert.gmtime_adj_notAfter(5 * 365 * 24 * 60 * 60)
cert.add_extensions([ X509Extension(b"basicConstraints", True,b"CA:TRUE, pathlen:0"),\
X509Extension(b"keyUsage", True,b"keyCertSign, cRLSign"),\
X509Extension(b"authorityKeyIdentifier", False, b"keyid:always",issuer= CAcert),\
X509Extension(b"subjectKeyIdentifier", False, b"hash",subject=cert)])
elif csr_type == 'usr':
cert.gmtime_adj_notAfter(1 * 365 * 24 * 60 * 60)
cert.add_extensions([ X509Extension(b"basicConstraints",True,b"CA:FALSE"),\
X509Extension(b"nsCertType",False,b"client, email"),\
X509Extension(b"nsComment",False, b"Certified Using OpenSSL based OpenCA"),\
X509Extension(b"subjectKeyIdentifier",False,b"hash",subject=cert),\
X509Extension(b"authorityKeyIdentifier",False, b"keyid", issuer= CAcert),\
X509Extension(b"keyUsage",True,b"nonRepudiation, digitalSignature, keyEncipherment"),\
X509Extension(b"extendedKeyUsage", False, b"clientAuth, emailProtection")])
elif csr_type == 'svr':
cert.gmtime_adj_notAfter(2 * 365 * 24 * 60 * 30)
cert.add_extensions([ X509Extension(b"basicConstraints",True,b"CA:FALSE"),\
X509Extension(b"nsCertType",False,b"server"),\
X509Extension(b"nsComment",False, b"Certified Using OpenSSL based OpenCA"),\
X509Extension(b"subjectKeyIdentifier",False,b"hash",subject=cert),\
X509Extension(b"authorityKeyIdentifier",False, b"keyid", issuer=CAcert),\
X509Extension(b"keyUsage",True,b"nonRepudiation, digitalSignature, keyEncipherment"),\
X509Extension(b"extendedKeyUsage", False, b"serverAuth")])
cert.set_issuer(CAcert.get_subject())
cert.set_pubkey(CSR.get_pubkey())
cert.sign(CAkey, "sha256")
# Save the signed certificate's information in the index.db
clist = []
for i in cert.get_subject().get_components():
clist.append(i[0] + b'=' + i[1])
cstring = b'/'.join(clist)
cstring = b'/' + cstring + b'/'
IndexObj = Index(expiration_date=cert.get_notAfter(),
serial_number_in_hex=str(serial),
cert_filename=serial.decode('utf-8') + '.cert.pem',
cert_subject=cstring)
session.add(IndexObj)
session.commit()
# save the certificates in newcerts directory of the CA
cert_bytes = dump_certificate(FILETYPE_PEM, cert)
open(
path.join(path.abspath(CA_path), 'newcerts',
(serial.decode('utf-8') + '.cert.pem')),
'wb').write(cert_bytes)
if csr_type == 'ca':
# If csr_type is 'ca' then save the chain of trust and it's certificate
if path.exists(
path.join(path.abspath(CA_path), 'certs',
(CA_name + '.chain.pem'))):
# If CA has a chain then forward that chain further
CAcert_bytes = open(
path.join(path.abspath(CA_path), 'certs',
(CA_name + '.chain.pem')), 'rb').read()
open(
path.join(path.abspath(SUBCA_dir), 'certs',
(SUBCA_name + '.cert.pem')), 'wb').write(cert_bytes)
open(
path.join(path.abspath(SUBCA_dir), 'certs',
(SUBCA_name + '.chain.pem')),
'wb').write(cert_bytes + CAcert_bytes)
return (cert_bytes + CAcert_bytes), cert_bytes
else:
print(
'Certificate Produced @ ',
path.join(path.abspath(path.split(CSR_path)[0]), 'USER.cert.pem'))
if csr_type == 'usr':
open(
path.join(path.abspath(path.split(CSR_path)[0]),
'USER.cert.pem'), 'wb').write(cert_bytes)
elif csr_type == 'svr':
open(
path.join(path.abspath(path.split(CSR_path)[0]),
'SERVER.cert.pem'), 'wb').write(cert_bytes)
return cert_bytes
def generate_new_certificate(ca_cert_path, username, is_ca_generation_request=False, ip=None):
try:
if not is_ca_generation_request:
ca = get_certificate(ca_cert_path)
if not ca:
log.warn("CA with key {} not found in redis".format(ca_cert_path))
return None
ca_key = load_privatekey(FILETYPE_PEM, base64.b64decode(ca.get('k').encode('ascii')))
cert_authority = load_certificate(FILETYPE_PEM, base64.b64decode(ca.get('c').encode('ascii')))
client_key = PKey()
client_key.generate_key(TYPE_RSA, 4096)
x509 = X509()
x509.set_version(2)
x509.set_serial_number(random.randint(0,100000000))
client_subj = x509.get_subject()
client_subj.commonName = username
ca_extension = X509Extension("basicConstraints", False, "CA:FALSE")
key_usage = X509Extension("keyUsage", True, "digitalSignature")
if username == 'kubernetes-apiserver':
san_list = ['IP:{}'.format(ip), 'DNS:kubernetes', 'DNS:kubernetes.default', 'DNS:kubernetes.default.svc', 'DNS:kubernetes.default.svc.cluster', 'DNS:kubernetes.svc.cluster.local']
x509.add_extensions([
ca_extension,
X509Extension("subjectKeyIdentifier", False, "hash", subject=x509),
X509Extension("extendedKeyUsage", True, "clientAuth"),
X509Extension("subjectAltName", False, ', '.join(san_list).encode()),
key_usage
])
else:
x509.add_extensions([
ca_extension,
X509Extension("subjectKeyIdentifier", False, "hash", subject=x509),
X509Extension("extendedKeyUsage", True, "clientAuth"),
key_usage
])
x509.set_issuer(cert_authority.get_subject())
x509.set_pubkey(client_key)
x509.gmtime_adj_notBefore(0)
# default certificate validity is 1 year
x509.gmtime_adj_notAfter(1*365*24*60*60 - 1)
x509.sign(ca_key, 'sha256')
else:
client_key = PKey()
client_key.generate_key(TYPE_RSA, 4096)
x509 = X509()
x509.set_version(2)
x509.set_serial_number(random.randint(0,100000000))
client_subj = x509.get_subject()
client_subj.commonName = username
ca_extension = X509Extension("basicConstraints", True, "CA:TRUE, pathlen:0")
key_usage = X509Extension("keyUsage", False, "cRLSign,digitalSignature,keyCertSign")
x509.add_extensions([
ca_extension,
X509Extension("subjectKeyIdentifier", False, "hash", subject=x509),
X509Extension("extendedKeyUsage", True, "clientAuth"),
key_usage
])
x509.set_issuer(client_subj)
x509.set_pubkey(client_key)
x509.gmtime_adj_notBefore(0)
# default certificate validity is 1 year
x509.gmtime_adj_notAfter(1*365*24*60*60 - 1)
x509.sign(client_key, 'sha256')
b64_cert = base64.b64encode(dump_certificate(FILETYPE_PEM, x509).encode('ascii')).decode('ascii')
b64_key = base64.b64encode(dump_privatekey(FILETYPE_PEM, client_key).encode('ascii')).decode('ascii')
return {"f": mTLS._get_digest(dump_certificate(FILETYPE_PEM, x509)), "c": b64_cert, "k": b64_key}
except Exception as e:
print "Exception: {}".format(e)
return None
ca = X509()
ca.get_subject().commonName = "Bunchy McX"
ca.get_subject().emailAddress = "*****@*****.**"
ca.set_serial_number(1)
ca.gmtime_adj_notBefore(0)
ca.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60)
ca.set_issuer(ca.get_subject())
ca.set_pubkey(ca_key)
ca.add_extensions([
X509Extension("basicConstraints", True, "CA:TRUE, pathlen:0"),
X509Extension("keyUsage", True, "keyCertSign, cRLSign"),
X509Extension("subjectKeyIdentifier", False, "hash", subject=ca)
])
ca.add_extensions([
X509Extension("authorityKeyIdentifier", False, "keyid:always", issuer=ca)
])
f = open("CA.cert", "w")
f.write(dump_certificate(FILETYPE_PEM, ca))
f.close()
host_key = PKey()
host_key.generate_key(TYPE_RSA, 2048)