def create_certificate():
root_ca_public_key, root_ca_private_key = asymmetric.generate_pair(
'rsa', bit_size=2048)
with open('root_ca.key', 'wb') as f:
f.write(asymmetric.dump_private_key(root_ca_private_key, u'p'))
with open('root_ca_public.key', 'wb') as f:
f.write(asymmetric.dump_public_key(root_ca_public_key, 'pem'))
builder = CertificateBuilder(
{
u'country_name': u'US',
u'state_or_province_name': u'Massachusetts',
u'locality_name': u'Amherst',
u'organization_name': u'Name Certifying service',
u'common_name': u'NCS Root CA',
}, root_ca_public_key)
builder.self_signed = True
builder.ca = True
root_ca_certificate = builder.build(root_ca_private_key)
with open('root_ca.crt', 'wb') as f:
f.write(pem_armor_certificate(root_ca_certificate))
# Generate an end-entity key and certificate, signed by the root
end_entity_public_key, end_entity_private_key = asymmetric.generate_pair(
'rsa', bit_size=2048)
with open('ramteja_tadishetti_private.key', 'wb') as f:
f.write(asymmetric.dump_private_key(end_entity_private_key, u'p'))
with open('ramteja_tadishetti_public.key', 'wb') as f:
f.write(asymmetric.dump_public_key(end_entity_public_key, 'pem'))
builder = CertificateBuilder(
{
u'country_name': u'US',
u'state_or_province_name': u'Massachusetts',
u'locality_name': u'Amherst',
u'organization_name': u'Ramteja Tadishetti Corp',
u'common_name': u'ramtejatadishetti',
}, end_entity_public_key)
builder.issuer = root_ca_certificate
#builder.set_extension( u'1.2.840.113549.1.1.1', 'ramteja', allow_deprecated=False)
end_entity_certificate = builder.build(root_ca_private_key)
with open('ramteja_tadishetti.crt', 'wb') as f:
f.write(pem_armor_certificate(end_entity_certificate))
def build_ca():
if not os.path.exists(settings.CA_PATH):
os.makedirs(settings.CA_PATH)
root_ca_public_key, root_ca_private_key = asymmetric.generate_pair(
'rsa', bit_size=4096)
with open(settings.CA_KEY, 'wb') as f:
f.write(
asymmetric.dump_private_key(root_ca_private_key,
settings.CA_KEY_PASSWD))
builder = CertificateBuilder(
{
'country_name': 'CR',
'state_or_province_name': 'San Jose',
'locality_name': 'Costa Rica',
'organization_name': 'DFVA Independiente',
'common_name': 'DFVA Root CA 1',
}, root_ca_public_key)
now = timezone.now()
builder.self_signed = True
builder.ca = True
builder.end_date = now + timedelta(settings.CA_CERT_DURATION * 10)
root_ca_certificate = builder.build(root_ca_private_key)
with open(settings.CA_CERT, 'wb') as f:
f.write(pem_armor_certificate(root_ca_certificate))
builder = CertificateListBuilder('http://crl.dfva.info',
root_ca_certificate, 1000)
crl_list = builder.build(root_ca_private_key)
with open(settings.CA_CRL, 'wb') as f:
f.write(crl_list.dump())
def generate_cert_and_key(cn, filename, keysize, keytype='rsa'):
ca_key_name = '%s.key' % filename
ca_cert_name = '%s.crt' % filename
curdir = pathlib.Path(__file__).parent
# Generate and save the key and certificate for the root CA
root_ca_public_key, root_ca_private_key = asymmetric.generate_pair(
keytype, bit_size=keysize)
with open(curdir.joinpath(ca_key_name), 'wb') as f:
f.write(asymmetric.dump_private_key(root_ca_private_key, None))
builder = CertificateBuilder(
{
'country_name': 'US',
'state_or_province_name': 'Massachusetts',
'locality_name': 'Newbury',
'organization_name': 'Codex Non Sufficit LC',
'common_name': cn,
}, root_ca_public_key)
builder.self_signed = True
builder.ca = True
root_ca_certificate = builder.build(root_ca_private_key)
with open(curdir.joinpath(ca_cert_name), 'wb') as f:
f.write(pem_armor_certificate(root_ca_certificate))
def generate_certificate(self, domain, save_model):
"""This function takes a domain name as a parameter and then creates
a certificate and key with the domain name (replacing dots
by underscores), finally signing the certificate using specified CA and
returns the path of key and cert files. If you are yet to generate a CA
then check the top comments"""
logger.info("SimpleCA: certificate creation request %s" % (domain,))
ca_private_key = asymmetric.load_private_key(
self.ca_key,
password=settings.CA_KEY_PASSWD)
ca_certificate = asymmetric.load_certificate(self.ca_crt)
end_entity_public_key, end_entity_private_key = \
asymmetric.generate_pair('rsa', bit_size=2048)
builder = CertificateBuilder(
{
'country_name': 'CR',
'state_or_province_name': 'San Jose',
'locality_name': 'Costa Rica',
'organization_name': save_model.name,
"organizational_unit_name": save_model.institution_unit,
'common_name': domain,
},
end_entity_public_key
)
now = timezone.now()
builder.issuer = ca_certificate
builder.begin_date = now
builder.end_date = now+timedelta(settings.CA_CERT_DURATION)
builder.key_usage = set(['digital_signature'])
end_entity_certificate = builder.build(ca_private_key)
# settings.CA_CERT_DURATION
server_public_key, server_private_key = \
asymmetric.generate_pair('rsa', bit_size=2048)
save_model.private_key = asymmetric.dump_private_key(
end_entity_private_key, None)
save_model.public_key = asymmetric.dump_public_key(
end_entity_public_key)
save_model.public_certificate = pem_armor_certificate(
end_entity_certificate)
save_model.server_sign_key = asymmetric.dump_private_key(
server_private_key, None)
save_model.server_public_key = asymmetric.dump_public_key(
server_public_key)
logger.debug("SimpleCA: New certificate for %s is %r" %
(domain, save_model.public_certificate))
return save_model
def create_certificate_for_client(client_details):
# load client public key
path_for_client_public_key = PUBLIC_KEY_STORE + file_names.get_public_key_name(
client_details['domain_name'])
client_public_key = asymmetric.load_public_key\
(get_byte_stream_for_file(path_for_client_public_key))
root_ca_private_key = asymmetric.load_private_key\
(get_byte_stream_for_file(ROOT_CA_PRIVATE_KEY_PATH), ROOT_CA_PRIVATE_KEY_PASSWORD)
root_ca_public_key = asymmetric.load_public_key\
(get_byte_stream_for_file(ROOT_CA_PUBLIC_KEY))
root_ca_certificate = asymmetric.load_certificate\
(get_byte_stream_for_file(ROOT_CA_CERTIFICATE))
builder = CertificateBuilder(
{
u'country_name': client_details['country'], #.decode('utf-8'),
u'state_or_province_name':
client_details['state'], #.decode('utf-8'),
u'locality_name': client_details['city'], #.decode('utf-8'),
u'organization_name': client_details['name'], #.decode('utf-8'),
u'common_name': get_dns_formatted_name(
client_details['domain_name']), #.decode('utf-8'),
},
client_public_key)
dns_name = []
dns_name.append(u'opengns.com')
builder.issuer = root_ca_certificate
builder.subject_alt_domains = dns_name
#builder.set_extension(u'authority_information_access', u'1.3.6.1.5.5.7.1.1')
client_certificate = builder.build(root_ca_private_key)
client_certificate_name = file_names.get_certificate_name(
client_details['domain_name'])
total_path = CERTIFICATE_OUTPUT_DIRECTORY + client_certificate_name
with open(total_path, 'wb') as f:
f.write(pem_armor_certificate(client_certificate))
return client_certificate_name
def retrieve_cert(self, certificate_request):
log.debug("Getting certificate status for id %s" %
certificate_request.id)
time.sleep(0.1)
end_entity_public_key, end_entity_private_key = asymmetric.generate_pair(
'rsa', bit_size=2048)
builder = CertificateBuilder(
{
'common_name': certificate_request.common_name,
}, end_entity_public_key)
root_ca_certificate = asymmetric.load_certificate(ROOT_CA)
root_ca_private_key = asymmetric.load_private_key(ROOT_CA_KEY)
builder.issuer = root_ca_certificate
end_entity_certificate = builder.build(root_ca_private_key)
return (pem_armor_certificate(end_entity_certificate).decode())
def issue_cert(self, csr: CsrBuilder) -> (PrivateKey, Cert):
public_key, private_key = asymmetric.generate_pair('rsa',
bit_size=4096)
builder = CertificateBuilder(
{
'country_name': 'US',
'state_or_province_name': 'Massachusetts',
'locality_name': 'Newbury',
'organization_name': 'Codex Non Sufficit LC',
'common_name': 'Will Bond',
}, public_key)
builder.self_signed = True
cert = builder.build(private_key)
serial = SerialNumber.from_int(cert.serial_number).as_hex()
keypath = self._cert_dir / (serial + '.key')
with keypath.open('wb') as f:
f.write(asymmetric.dump_private_key(private_key, 'password'))
certpath = self._cert_dir / (serial + '.pem')
with certpath.open('wb') as f:
f.write(pem_armor_certificate(cert))
def create_certificate():
root_ca_public_key, root_ca_private_key = asymmetric.generate_pair(
'rsa', bit_size=2048)
with open('root_ca.key', 'wb') as f:
f.write(asymmetric.dump_private_key(root_ca_private_key, u'p'))
with open('root_ca_public.key', 'wb') as f:
f.write(asymmetric.dump_public_key(root_ca_public_key, 'pem'))
builder = CertificateBuilder(
{
u'country_name': u'US',
u'state_or_province_name': u'Massachusetts',
u'locality_name': u'Amherst',
u'organization_name': u'Name Certifying service',
u'common_name': u'NCS Root CA',
}, root_ca_public_key)
builder.self_signed = True
builder.ca = True
root_ca_certificate = builder.build(root_ca_private_key)
with open('root_ca.crt', 'wb') as f:
f.write(pem_armor_certificate(root_ca_certificate))
import json
import sys
f = open("orqIp.txt", "r")
orq_ip = f.read()
f.close()
keyId = sys.argv[1]
r = requests.get("http://" + orq_ip + ":5000/getKey/" + keyId)
response = dict(json.loads(r.text))
pub_key = response["pubKey"]
asn1PublicKey = core.Asn1Value.load(unhexlify(pub_key))
publicKey = keys.PublicKeyInfo.wrap(asn1PublicKey, u'rsa')
builder = CertificateBuilder(
{
u'country_name': u'SP',
u'state_or_province_name': u'Malaga',
u'locality_name': u'Malaga',
u'organization_name': u'NICS Lab',
u'common_name': u'Certificacion Raiz'
}, publicKey)
builder.self_signed = True
builder.ca = True
root_ca_certificate = builder.build_mpc(int(keyId), orq_ip, "5000")
with open('certificado_raiz.crt', 'wb') as f:
f.write(pem_armor_certificate(root_ca_certificate))
def build_certificate(
hostnames: Collection[str],
password: Optional[str] = None,
) -> Tuple[bytes, bytes]:
"""
Build a self-signed certificate with SANs (subject alternative names).
Returns a tuple of the certificate and its private key (PEM-formatted).
The certificate is "minimally sufficient", without much of the extra
information on the subject besides its common and alternative names.
However, IP addresses are properly recognised and normalised for better
compatibility with strict SSL clients (like apiservers of Kubernetes).
The first non-IP hostname becomes the certificate's common name --
by convention, non-configurable. If no hostnames are found, the first
IP address is used as a fallback. Magic IPs like 0.0.0.0 are excluded.
``certbuilder`` is used as an implementation because it is lightweight:
2.9 MB vs. 8.7 MB for cryptography. Still, it is too heavy to include
as a normal runtime dependency (for 8.8 MB of Kopf itself), so it is
only available as the ``kopf[dev]`` extra for development-mode dependencies.
This can change in the future if self-signed certificates become used
at runtime (e.g. in production/staging environments or other real clusters).
"""
try:
import certbuilder
import oscrypto.asymmetric
except ImportError:
raise MissingDependencyError(
"Using self-signed certificates requires an extra dependency: "
"run `pip install certbuilder` or `pip install kopf[dev]`. "
"Or pass `insecure=True` to a webhook server to use only HTTP. "
"Or generate your own certificates and pass as certfile=/pkeyfile=. "
"More: https://kopf.readthedocs.io/en/stable/admission/")
# Detect which ones of the hostnames are probably IPv4/IPv6 addresses.
# A side-effect: bring them all to their canonical forms.
parsed_ips: Dict[str, Union[ipaddress.IPv4Address,
ipaddress.IPv6Address]] = {}
for hostname in hostnames:
try:
parsed_ips[hostname] = ipaddress.IPv4Address(hostname)
except ipaddress.AddressValueError:
pass
try:
parsed_ips[hostname] = ipaddress.IPv6Address(hostname)
except ipaddress.AddressValueError:
pass
# Later, only the normalised IPs are used as SANs, not the raw IPs.
# Remove bindable but non-accessible addresses (like 0.0.0.0) form the SANs.
true_hostnames = [
hostname for hostname in hostnames if hostname not in parsed_ips
]
accessible_ips = [
str(ip) for ip in parsed_ips.values() if not ip.is_unspecified
]
# Build a certificate as the framework believe is good enough for itself.
subject = {
'common_name':
true_hostnames[0] if true_hostnames else accessible_ips[0]
}
public_key, private_key = oscrypto.asymmetric.generate_pair(
'rsa', bit_size=2048)
builder = certbuilder.CertificateBuilder(subject, public_key)
builder.ca = True
builder.key_usage = {
'digital_signature', 'key_encipherment', 'key_cert_sign',
'crl_sign'
}
builder.extended_key_usage = {'server_auth', 'client_auth'}
builder.self_signed = True
builder.subject_alt_ips = list(set(accessible_ips)) # deduplicate
builder.subject_alt_domains = list(
set(true_hostnames) | set(accessible_ips)) # deduplicate
certificate = builder.build(private_key)
cert_pem: bytes = certbuilder.pem_armor_certificate(certificate)
pkey_pem: bytes = oscrypto.asymmetric.dump_private_key(private_key,
password,
target_ms=10)
return cert_pem, pkey_pem
def _dump_cert(cert):
return pem_armor_certificate(cert)
