def get_signed_cert(
common_name: str,
san_dns_names: Optional[List[str]] = None,
san_ip_addresses: Optional[List[str]] = None,
resotocore_uri: str = None,
psk: str = None,
ca_cert_path: str = None,
) -> Tuple[RSAPrivateKey, Certificate]:
if resotocore_uri is None:
resotocore_uri = getattr(ArgumentParser.args, "resotocore_uri", None)
if psk is None:
psk = getattr(ArgumentParser.args, "psk", None)
cert_key = gen_rsa_key()
cert_csr = gen_csr(cert_key, common_name, san_dns_names, san_ip_addresses)
cert_csr_bytes = csr_to_bytes(cert_csr)
headers = {}
if psk is not None:
encode_jwt_to_headers(headers, {}, psk)
request_kwargs = {}
if ca_cert_path is not None:
request_kwargs["verify"] = ca_cert_path
r = requests.post(f"{resotocore_uri}/ca/sign",
cert_csr_bytes,
headers=headers,
**request_kwargs)
cert_bytes = r.content
cert_crt = load_cert_from_bytes(cert_bytes)
return cert_key, cert_crt
def create_host_certificate(self, ca_key: RSAPrivateKey, ca_cert: Certificate) -> Tuple[RSAPrivateKey, Certificate]:
key = gen_rsa_key()
host_names = get_local_hostnames(args=self.args)
host_ips = get_local_ip_addresses(args=self.args)
log.info(f'Create host certificate for hostnames:{", ".join(host_names)} and ips:{", ".join(host_ips)}')
csr = gen_csr(key, san_dns_names=list(host_names), san_ip_addresses=list(host_ips))
cert = sign_csr(csr, ca_key, ca_cert)
return key, cert
def test_x509():
with tempfile.TemporaryDirectory() as tmp:
ca_key, ca_cert = bootstrap_ca()
cert_key = gen_rsa_key()
gen_csr(cert_key) # dummy call to generate CSR without SANs
cert_csr = gen_csr(
cert_key,
san_dns_names=["example.com"],
san_ip_addresses=["10.0.1.1", "10.0.0.0/24"],
)
cert_crt = sign_csr(cert_csr, ca_key, ca_cert)
ca_key_path = os.path.join(tmp, "ca.key")
ca_cert_path = os.path.join(tmp, "ca.crt")
cert_key_path = os.path.join(tmp, "cert.key")
cert_key_passphrase = "foobar"
cert_csr_path = os.path.join(tmp, "cert.csr")
cert_crt_path = os.path.join(tmp, "cert.crt")
write_key_to_file(ca_key, key_path=ca_key_path)
write_cert_to_file(ca_cert, cert_path=ca_cert_path)
write_key_to_file(cert_key,
key_path=cert_key_path,
passphrase=cert_key_passphrase)
write_csr_to_file(cert_csr, csr_path=cert_csr_path)
write_cert_to_file(cert_crt, cert_path=cert_crt_path)
loaded_ca_key = load_key_from_file(ca_key_path)
loaded_ca_cert = load_cert_from_file(ca_cert_path)
loaded_cert_key = load_key_from_file(cert_key_path,
passphrase=cert_key_passphrase)
loaded_cert_csr = load_csr_from_file(cert_csr_path)
loaded_cert_crt = load_cert_from_file(cert_crt_path)
assert loaded_ca_cert == ca_cert
assert loaded_cert_csr == cert_csr
assert loaded_cert_crt == cert_crt
assert cert_fingerprint(loaded_ca_cert) == cert_fingerprint(ca_cert)
assert cert_fingerprint(loaded_cert_crt) == cert_fingerprint(cert_crt)
assert key_to_bytes(ca_key) == key_to_bytes(loaded_ca_key)
assert key_to_bytes(cert_key) == key_to_bytes(loaded_cert_key)
def create_key_and_cert(
self, common_name: str, dns_names: List[str], ip_addresses: List[str], days_valid: int
) -> Tuple[RSAPrivateKey, Certificate]:
key = gen_rsa_key()
csr = gen_csr(
key,
include_loopback=False,
common_name=common_name,
san_dns_names=dns_names,
san_ip_addresses=ip_addresses,
discover_local_dns_names=False,
discover_local_ip_addresses=False,
)
cert = sign_csr(csr, self._ca_key, self._ca_cert, days_valid)
return key, cert
def __create_host_certificate(
cfg: CertificateConfig, ca_key: RSAPrivateKey, ca_cert: Certificate
) -> Tuple[RSAPrivateKey, Certificate]:
key = gen_rsa_key()
host_names = get_local_hostnames(
include_loopback=cfg.include_loopback,
san_ip_addresses=cfg.san_ip_addresses,
san_dns_names=cfg.san_dns_names,
)
host_ips = get_local_ip_addresses(include_loopback=cfg.include_loopback, san_ip_addresses=cfg.san_ip_addresses)
log.info(f'Create host certificate for hostnames:{", ".join(host_names)} and ips:{", ".join(host_ips)}')
csr = gen_csr(
key,
common_name=cfg.common_name,
san_dns_names=list(host_names),
san_ip_addresses=list(host_ips),
include_loopback=cfg.include_loopback,
)
cert = sign_csr(csr, ca_key, ca_cert)
return key, cert
def disabled_test_secure_web():
with tempfile.TemporaryDirectory() as tmp:
ca_key, ca_cert = bootstrap_ca()
cert_key = gen_rsa_key()
cert_csr = gen_csr(cert_key, common_name="localhost")
cert_crt = sign_csr(cert_csr, ca_key, ca_cert)
ca_cert_path = os.path.join(tmp, "ca.crt")
cert_key_path = os.path.join(tmp, "cert.key")
cert_crt_path = os.path.join(tmp, "cert.crt")
write_cert_to_file(ca_cert, cert_path=ca_cert_path)
write_key_to_file(cert_key, key_path=cert_key_path)
write_cert_to_file(cert_crt, cert_path=cert_crt_path)
free_port = get_free_port()
print(f"Starting https webserver on port {free_port}")
web_server = WebServer(WebApp(),
web_port=free_port,
ssl_cert=cert_crt_path,
ssl_key=cert_key_path)
web_server.daemon = True
web_server.start()
start_time = time.time()
while not web_server.serving:
if time.time() - start_time > 10:
raise RuntimeError("timeout waiting for web server start")
time.sleep(0.1)
endpoint = f"https://localhost:{free_port}"
r = requests.get(f"{endpoint}/health", verify=ca_cert_path)
assert r.text == "ok\r\n"
web_server.shutdown()
while web_server.is_alive():
print("Waiting for web server to shutdown")
time.sleep(1)
cherrypy.engine
def test_sign(cert_handler: CertificateHandler) -> None:
cert_bytes, fingerprint = cert_handler.sign(csr_to_bytes(gen_csr(gen_rsa_key())))
cert = load_cert_from_bytes(cert_bytes)
assert cert_fingerprint(cert) == fingerprint