def _makeContext(self): ctx = SSL.Context(self.method) if self.certificate is not None and self.privateKey is not None: if isinstance(self.certificate, basestring): ctx.use_certificate(crypto.load_certificate( crypto.FILETYPE_PEM, self.certificate)) else: ctx.use_certificate(crypto.load_certificate( crypto.FILETYPE_PEM, self.certificate.content)) if isinstance(self.privateKey, basestring): ctx.use_privatekey(crypto.load_privatekey( crypto.FILETYPE_PEM, self.privateKey)) else: ctx.use_privatekey(crypto.load_privatekey( crypto.FILETYPE_PEM, self.privateKey.privateKey)) # Sanity check ctx.check_privatekey() verifyFlags = SSL.VERIFY_NONE if self.verify: verifyFlags = SSL.VERIFY_PEER if self.requireCertificate: verifyFlags |= SSL.VERIFY_FAIL_IF_NO_PEER_CERT if self.verifyOnce: verifyFlags |= SSL.VERIFY_CLIENT_ONCE if self.caCerts: store = ctx.get_cert_store() if isinstance(self.caCerts, basestring): store.add_cert(crypto.load_certificate( crypto.FILETYPE_PEM, self.caCerts)) else: for cert in self.caCerts: content = None if isinstance(cert, basestring): content = cert else: content = cert.content store.add_cert(crypto.load_certificate( crypto.FILETYPE_PEM, content)) ctx.set_verify(verifyFlags, self._verify) if self.verifyDepth is not None: ctx.set_verify_depth(self.verifyDepth) if self.enableSingleUseKeys: ctx.set_options(SSL.OP_SINGLE_DH_USE) if self.fixBrokenPeers: ctx.set_options(self._OP_ALL) if self.enableSessions: sessionName = md5.md5("%s-%d" % (reflect.qual(self.__class__), _sessionCounter())).hexdigest() ctx.set_session_id(sessionName) return ctx
def test_create_ca_and_signing_pairs(self): # use one common test to avoid generating CA pair twice # do not mock out pyOpenSSL, test generated keys/certs # create CA pair ca_key_pem, ca_cert_pem = keystone_pki.create_ca_pair() ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, ca_key_pem) ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM, ca_cert_pem) # check CA key properties self.assertTrue(ca_key.check()) self.assertEqual(2048, ca_key.bits()) # check CA cert properties self.assertFalse(ca_cert.has_expired()) self.assertEqual('Keystone CA', ca_cert.get_issuer().CN) self.assertEqual('Keystone CA', ca_cert.get_subject().CN) # create signing pair signing_key_pem, signing_cert_pem = keystone_pki.create_signing_pair( ca_key_pem, ca_cert_pem) signing_key = crypto.load_privatekey(crypto.FILETYPE_PEM, signing_key_pem) signing_cert = crypto.load_certificate(crypto.FILETYPE_PEM, signing_cert_pem) # check signing key properties self.assertTrue(signing_key.check()) self.assertEqual(2048, signing_key.bits()) # check signing cert properties self.assertFalse(signing_cert.has_expired()) self.assertEqual('Keystone CA', signing_cert.get_issuer().CN) self.assertEqual('Keystone Signing', signing_cert.get_subject().CN)
def _ReadJSONKeystore(ks_contents, passwd=None): """Read the client email and private key from a JSON keystore. Assumes this keystore was downloaded from the Cloud Platform Console. By default, JSON keystore private keys from the Cloud Platform Console aren't encrypted so the passwd is optional as load_privatekey will prompt for the PEM passphrase if the key is encrypted. Arguments: ks_contents: JSON formatted string representing the keystore contents. Must be a valid JSON string and contain the fields 'private_key' and 'client_email'. passwd: Passphrase for encrypted private keys. Returns: key: Parsed private key from the keystore. client_email: The email address for the service account. Raises: ValueError: If unable to parse ks_contents or keystore is missing required fields. """ ks = json.loads(ks_contents) if 'client_email' not in ks or 'private_key' not in ks: raise ValueError('JSON keystore doesn\'t contain required fields') client_email = ks['client_email'] if passwd: key = load_privatekey(FILETYPE_PEM, ks['private_key'], passwd) else: key = load_privatekey(FILETYPE_PEM, ks['private_key']) return key, client_email
def check_load_privatekey_callback(self): """ Call the function with an encrypted PEM and a passphrase callback. """ for i in xrange(self.iterations * 10): load_privatekey( FILETYPE_PEM, self.ENCRYPTED_PEM, lambda *args: "hello, secret")
def load_from_string(self, string): if glo_passphrase_callback: self.key = crypto.load_privatekey(crypto.FILETYPE_PEM, string, functools.partial(glo_passphrase_callback, self, string) ) self.m2key = M2Crypto.EVP.load_key_string(string, functools.partial(glo_passphrase_callback, self, string) ) else: self.key = crypto.load_privatekey(crypto.FILETYPE_PEM, string) self.m2key = M2Crypto.EVP.load_key_string(string)
def loadPrivateKey(path): """Import an private key from file to python object @param path [str] : the path to the private key file to import @return [OpenSSL.crypto.PKey] the certificate object that correspond to the certificate file [None] if an error occur """ assert path is not None try: # open file in binary mode f_cert = open(path, 'rb').read() except IOError as e: g_sys_log.error('Unable to open private key file : ' + str(e)) return None try: # try to load the key as PEM format key = crypto.load_privatekey(crypto.FILETYPE_PEM, f_cert) except crypto.Error as e: # if error try with another format try: # try to load the cert as ASN1 format key = crypto.load_privatekey(crypto.FILETYPE_ASN1, f_cert) g_sys_log.warning('Private Key "%s" is not in PEM recommanded format', path) except crypto.Error as e: g_sys_log.error('Unable to import private key : ' + str(e)) return None return key
def on_button_import_key_clicked(self, widget): path = self.filechooserbutton_ssl_key.get_filename() if path: f = open(path, "r") text = f.read() f.close() try: crypto.load_privatekey(crypto.FILETYPE_PEM, text) except: md = gtk.MessageDialog(None, flags=0, type=gtk.MESSAGE_ERROR, buttons=gtk.BUTTONS_OK, message_format="Could not import does not appear to be a valid key!") md.run() md.destroy() return key_path = os.path.join("/etc/ssl/private/", os.path.basename(path)) if not Shell.command.sudo_exists(key_path): Shell.command.write_file(key_path, text) self.entry_ssl_key_location.set_text(key_path) else: md = gtk.MessageDialog(None, flags=0, type=gtk.MESSAGE_ERROR, buttons=gtk.BUTTONS_CLOSE, message_format="A key with that filename already exists") result = md.run() md.destroy()
def generate_csr(): request_data = json.loads(request.data.decode()) csr_filename = str(request_data['csrFilename']) with open(CERTIFICATE_SIGNING_REQUEST_DIR + csr_filename, "w+") as csr_file: certificate_signing_request = crypto.X509Req() certificate_signing_request.get_subject().CN = str(request_data['commonName']) certificate_signing_request.get_subject().O = str(request_data['organization']) certificate_signing_request.get_subject().OU = str(request_data['organizationalUnit']) certificate_signing_request.get_subject().L = str(request_data['city']) certificate_signing_request.get_subject().ST = str(request_data['state']) certificate_signing_request.get_subject().C = str(request_data['country']) certificate_signing_request.get_subject().emailAddress = str(request_data['email']) selected_pkey_filename = str(request_data['private_key']) try: if 'passphrase' in request_data: selected_pkey_passphrase = str(request_data['passphrase']) selected_key = crypto.load_privatekey(crypto.FILETYPE_PEM, open(PRIVATE_KEY_DIR + selected_pkey_filename).read(), selected_pkey_passphrase) else: selected_key = crypto.load_privatekey(crypto.FILETYPE_PEM, open(PRIVATE_KEY_DIR + selected_pkey_filename).read()) certificate_signing_request.set_pubkey(selected_key) certificate_signing_request.sign(selected_key, "sha256") print csr_file.write(crypto.dump_certificate_request(crypto.FILETYPE_PEM, certificate_signing_request)) csr_file.seek(0) csr_data = csr_file.read() responseObject = {} responseObject['csr'] = csr_data, responseObject['message'] = 'CSR successfully created.' return jsonify(responseObject), 201 except Error, error: return jsonify(str(error)), 400
def test_certfile_contains_key(self): path = self.cc['www.example.com'].certfile assert os.path.exists(path) # Check key path can be successfully loaded as private key and doesn't # requires password, lambda is for case where password is required load_privatekey(FILETYPE_PEM, open(path).read(), lambda: "")
def create_cert_signed_certificate(self, sign_cert_str, sign_key_str, request_cert_str, hash_alg="sha256", valid_from=0, valid_to=315360000, sn=1, passphrase=None): """ Will sign a certificate request with a give certificate. :param sign_cert_str: This certificate will be used to sign with. Must be a string representation of the certificate. If you only have a file use the method read_str_from_file to get a string representation. :param sign_key_str: This is the key for the ca_cert_str represented as a string. If you only have a file use the method read_str_from_file to get a string representation. :param request_cert_str: This is the prepared certificate to be signed. Must be a string representation of the requested certificate. If you only have a file use the method read_str_from_file to get a string representation. :param hash_alg: Hash algorithm to use for the key. Default is sha256. :param valid_from: When the certificate starts to be valid. Amount of seconds from when the certificate is generated. :param valid_to: How long the certificate will be valid from when it is generated. The value is in seconds. Default is 315360000 seconds, a.k.a 10 years. :param sn: Serial number for the certificate. Default is 1. :param passphrase: Password for the private key in sign_key_str. :return: String representation of the signed certificate. """ ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM, sign_cert_str) ca_key = None if passphrase is not None: ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, sign_key_str, passphrase) else: ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, sign_key_str) req_cert = crypto.load_certificate_request(crypto.FILETYPE_PEM, request_cert_str) cert = crypto.X509() cert.set_subject(req_cert.get_subject()) cert.set_serial_number(sn) cert.gmtime_adj_notBefore(valid_from) cert.gmtime_adj_notAfter(valid_to) cert.set_issuer(ca_cert.get_subject()) cert.set_pubkey(req_cert.get_pubkey()) cert.sign(ca_key, hash_alg) cert_dump = crypto.dump_certificate(crypto.FILETYPE_PEM, cert) if isinstance(cert_dump, six.string_types): return cert_dump return cert_dump.decode('utf-8')
def _generate_csr_from_private_key(order_model, project_model): """Generate a CSR from the private key. :param: order_model - order for the request :param: project_model - project for this request :return: CSR (certificate signing request) in PEM format :raise: :class:`StoredKeyPrivateKeyNotFound` if private key not found :class:`StoredKeyContainerNotFound` if container not found """ container_id, container = _get_container_from_order_meta(order_model, project_model) if not container: raise excep.StoredKeyContainerNotFound(container_id) passphrase = None private_key = None for cs in container.container_secrets: secret_repo = repos.get_secret_repository() if cs.name == "private_key": private_key_model = secret_repo.get(cs.secret_id, project_model.external_id) private_key = plugin.get_secret("application/pkcs8", private_key_model, project_model) elif cs.name == "private_key_passphrase": passphrase_model = secret_repo.get(cs.secret_id, project_model.external_id) passphrase = plugin.get_secret("text/plain;charset=utf-8", passphrase_model, project_model) passphrase = str(passphrase) if not private_key: raise excep.StoredKeyPrivateKeyNotFound(container.id) if passphrase is None: pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, private_key) else: pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, private_key, passphrase) subject_name = order_model.meta.get("subject_dn") subject_name_dns = ldap.dn.str2dn(subject_name) extensions = order_model.meta.get("extensions", None) req = crypto.X509Req() subj = req.get_subject() # Note: must iterate over the DNs in reverse order, or the resulting # subject name will be reversed. for ava in reversed(subject_name_dns): for key, val, extra in ava: setattr(subj, key.upper(), val) req.set_pubkey(pkey) if extensions: # TODO(alee-3) We need code here to parse the encoded extensions and # convert them into X509Extension objects. This code will also be # used in the validation code. Commenting out for now till we figure # out how to do this. # req.add_extensions(extensions) pass req.sign(pkey, "sha256") csr = crypto.dump_certificate_request(crypto.FILETYPE_PEM, req) return csr
def key(self): self.ensure_exists() if self.key_path: with open(self.key_path) as key_fh: return crypto.load_privatekey(crypto.FILETYPE_PEM, key_fh.read()) else: return crypto.load_privatekey(crypto.FILETYPE_PEM, self._key_val)
def test_create_temp_self_signed_cert_returns_key_as_second_value(self): with open(self.key, 'rb') as f: data = f.read() try: crypto.load_privatekey(crypto.FILETYPE_PEM, data) except crypto.Error: self.fail('First file is not a key')
def run(self, id, updated_fields): def update_all_signed_certs_and_get_ids(old_signing_name, new_signing_name): certs = self.datastore.query('crypto.certificates', ('signing_ca_name', '=', old_signing_name)) for c in certs: c['signing_ca_name'] = new_signing_name self.datastore.update('crypto.certificates', c['id'], c) return [c['id'] for c in certs] ids = [id] if not self.datastore.exists('crypto.certificates', ('id', '=', id)): raise TaskException(errno.ENOENT, 'Certificate ID {0} does not exist'.format(id)) cert = self.datastore.get_by_id('crypto.certificates', id) if cert['type'] in ('CA_EXISTING', 'CERT_EXISTING'): if 'certificate' in updated_fields: try: crypto.load_certificate(crypto.FILETYPE_PEM, updated_fields['certificate']) except Exception: raise TaskException(errno.EINVAL, 'Invalid certificate') if 'privatekey' in updated_fields: try: crypto.load_privatekey(crypto.FILETYPE_PEM, updated_fields['privatekey']) except Exception: raise TaskException(errno.EINVAL, 'Invalid privatekey') if 'name' in updated_fields: if self.datastore.exists('crypto.certificates', ('name', '=', updated_fields['name'])): raise TaskException(errno.EEXIST, 'Certificate name : "{0}" already in use'.format(updated_fields['name'])) else: if len(updated_fields) > 1 or 'name' not in updated_fields: raise TaskException(errno.EINVAL, 'Only "name" field can be modified'.format(id)) if self.datastore.exists('crypto.certificates', ('name', '=', updated_fields['name'])): raise TaskException(errno.EEXIST, 'Certificate name : "{0}" already in use'.format(updated_fields['name'])) try: if 'certificate' in updated_fields: cert['certificate'] = updated_fields['certificate'] cert.update(get_cert_info(cert['certificate'])) if 'privatekey' in updated_fields: cert['privatekey'] = updated_fields['privatekey'] if 'name' in updated_fields: old_name = cert['name'] cert['name'] = updated_fields['name'] ids.extend(update_all_signed_certs_and_get_ids(old_name, cert['name'])) pkey = self.datastore.update('crypto.certificates', id, cert) self.dispatcher.call_sync('etcd.generation.generate_group', 'crypto') self.dispatcher.dispatch_event('crypto.certificate.changed', { 'operation': 'update', 'ids': ids }) except DatastoreException as e: raise TaskException(errno.EBADMSG, 'Cannot update certificate: {0}'.format(str(e))) except RpcException as e: raise TaskException(errno.ENXIO, 'Cannot generate certificate: {0}'.format(str(e))) return pkey
def run(self, certificate): if self.datastore.exists('crypto.certificates', ('name', '=', certificate['name'])): raise TaskException(errno.EEXIST, 'Certificate named "{0}" already exists'.format(certificate['name'])) new_cert_db_entry = {} new_cert_db_entry['name'] = certificate['name'] new_cert_db_entry['type'] = certificate['type'] if certificate.get('certificate_path'): imported_cert = crypto.load_certificate( crypto.FILETYPE_PEM, get_file_contents(certificate['certificate_path']).encode('utf-8')) elif certificate.get('certificate'): imported_cert = crypto.load_certificate(crypto.FILETYPE_PEM, certificate['certificate'].encode('utf-8')) else: imported_cert = False if imported_cert: new_cert_db_entry['certificate'] = crypto.dump_certificate( crypto.FILETYPE_PEM, imported_cert).decode('utf-8') new_cert_db_entry.update(get_cert_info(imported_cert)) new_cert_db_entry['serial'] = str(imported_cert.get_serial_number()) #certificate['selfsigned'] = False new_cert_db_entry['not_before'] = get_utc_string_from_asn1generalizedtime( imported_cert.get_notBefore().decode('utf-8')) new_cert_db_entry['not_after'] = get_utc_string_from_asn1generalizedtime( imported_cert.get_notAfter().decode('utf-8')) new_cert_db_entry['lifetime'] = 3650 else: new_cert_db_entry['certificate'] = "" if certificate.get('privatekey_path'): imported_privkey = crypto.load_privatekey( crypto.FILETYPE_PEM, get_file_contents(certificate['privatekey_path'])) elif certificate.get('privatekey'): imported_privkey = crypto.load_privatekey(crypto.FILETYPE_PEM, certificate['privatekey']) else: imported_privkey = False if imported_privkey: new_cert_db_entry['privatekey'] = crypto.dump_privatekey( crypto.FILETYPE_PEM, imported_privkey).decode('utf-8') new_cert_db_entry['key_length'] = imported_privkey.bits() else: new_cert_db_entry['privatekey'] = "" try: pkey = self.datastore.insert('crypto.certificates', new_cert_db_entry) self.dispatcher.call_sync('etcd.generation.generate_group', 'crypto') self.dispatcher.dispatch_event('crypto.certificate.changed', { 'operation': 'create', 'ids': [pkey] }) except DatastoreException as e: raise TaskException(errno.EBADMSG, 'Cannot import certificate: {0}'.format(str(e))) except RpcException as e: raise TaskException(errno.ENXIO, 'Cannot generate certificate: {0}'.format(str(e))) return pkey
def check_load_privatekey_callback_wrong_type(self): """ Call the function with an encrypted PEM and a passphrase callback which returns a non-string. """ for i in xrange(self.iterations * 10): try: load_privatekey(FILETYPE_PEM, self.ENCRYPTED_PEM, lambda *args: {}) except ValueError: pass
def check_load_privatekey_callback_incorrect(self): """ Call the function with an encrypted PEM and a passphrase callback which returns the wrong passphrase. """ for i in xrange(self.iterations * 10): try: load_privatekey(FILETYPE_PEM, self.ENCRYPTED_PEM, lambda *args: "hello, public") except Error: pass
def test_dump_privatekey_passphrase(self): """ L{dump_privatekey} writes an encrypted PEM when given a passphrase. """ passphrase = "foo" key = load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM) pem = dump_privatekey(FILETYPE_PEM, key, "blowfish", passphrase) self.assertTrue(isinstance(pem, str)) loadedKey = load_privatekey(FILETYPE_PEM, pem, passphrase) self.assertTrue(isinstance(loadedKey, PKeyType)) self.assertEqual(loadedKey.type(), key.type()) self.assertEqual(loadedKey.bits(), key.bits())
def get_validate_tls_key_cert(server_tls_dir, fs_name): pem, full_path = get_full_tls(server_tls_dir, 'keys-certs', fs_name) # Only validate it's there. crypto.load_privatekey(crypto.FILETYPE_PEM, pem) # Really do something with a certificate though. cert = crypto.load_certificate(crypto.FILETYPE_PEM, pem) subject = sorted(dict(cert.get_subject().get_components()).items()) return cert.digest(b'sha1'), '; '.join(['{}={}'.format(k, v) for k, v in subject]), full_path
def build_dfc_identity(keystore, key_name, keystore_password, key_password, hostname): pk = get_private_key(keystore, key_name, keystore_password, key_password) if not pk: return None cert = pk.cert_chain[0][1] cert = crypto.load_certificate(crypto.FILETYPE_ASN1, cert) cn = cert.get_subject().commonName if pk.algorithm_oid == jks.util.RSA_ENCRYPTION_OID: pk = crypto.load_privatekey(crypto.FILETYPE_ASN1, pk.pkey) else: pk = crypto.load_privatekey(crypto.FILETYPE_ASN1, pk.pkey_pkcs8) data = "%s\t%d\t%s\t%s" % (cn, time.time(), hostname, "") signature = crypto.sign(pk, data, b"sha1") return str("%s\t%s" % (data, jks.base64.b64encode(signature)))
def gen_certificate(self, cn, alt_names=None): assert cn # Load ROOTCA certificate and private key. if self.options.ca_crt and self.options.ca_key: crt = open(os.path.join(self.options.ca_crt)) key = open(os.path.join(self.options.ca_key)) capair = ( crypto.load_privatekey(crypto.FILETYPE_PEM, key.read()), crypto.load_certificate(crypto.FILETYPE_PEM, crt.read()), ) crt.close() key.close() else: capair = ( crypto.load_privatekey(crypto.FILETYPE_PEM, ROOTCA_KEY), crypto.load_certificate(crypto.FILETYPE_PEM, ROOTCA_CRT), ) pkey = WebCert.create_key_pair(crypto.TYPE_RSA, 1024) subject = F5TEST_SUBJECT subject.CN = cn req = WebCert.create_cert_request(pkey, **subject) serial = random.randint(0, MAXINT) extensions = [] if alt_names: tmp = ",".join(["DNS:%s" % name for name in alt_names if name and name != cn]) if tmp: extensions.append(crypto.X509Extension(b("subjectAltName"), False, b(tmp))) # Stick some nifty extensions- just for fun. extensions.append(crypto.X509Extension(b("basicConstraints"), False, b("CA:FALSE"))) extensions.append(crypto.X509Extension(b("keyUsage"), False, b("digitalSignature,keyEncipherment"))) extensions.append(crypto.X509Extension(b("extendedKeyUsage"), False, b("serverAuth,clientAuth"))) extensions.append(crypto.X509Extension(b("authorityInfoAccess"), False, b("caIssuers;email:[email protected]"))) extensions.append( crypto.X509Extension(b("crlDistributionPoints"), False, b("URI:http://172.27.58.1/rootca.crl")) ) return ( pkey, WebCert.create_certificate( req, capair, serial, (-60 * 60 * 24 * 1, 60 * 60 * 24 * 365 * 10), # -1 .. 10 years extensions=extensions, ), )
def load_privatekey(path, passphrase=None): """Load the specified OpenSSL private key.""" try: if passphrase: privatekey = crypto.load_privatekey(crypto.FILETYPE_PEM, open(path, 'rb').read(), to_bytes(passphrase)) else: privatekey = crypto.load_privatekey(crypto.FILETYPE_PEM, open(path, 'rb').read()) return privatekey except (IOError, OSError) as exc: raise OpenSSLObjectError(exc)
def get_validate_tls_key_cert(server_tls_dir, fs_name): full_path = os.path.join(server_tls_dir, 'keys-certs', fs_name) if not os.path.exists(full_path): raise Exception('No such path `{}`'.format(full_path)) pem = open(full_path).read() # Only validate it's there. crypto.load_privatekey(crypto.FILETYPE_PEM, pem) # Really do something with a certificate though. cert = crypto.load_certificate(crypto.FILETYPE_PEM, pem) subject = sorted(dict(cert.get_subject().get_components()).items()) return cert.digest(b'sha1'), '; '.join(['{}={}'.format(k, v) for k, v in subject]), full_path
def verify_container_keys_valid(self, secret_dict, with_passphrase=False): # verify generated keys can be parsed if with_passphrase: crypto.load_privatekey( crypto.FILETYPE_PEM, secret_dict['private_key'], secret_dict['private_key_passphrase']) else: self.assertFalse('private_key_passphrase' in secret_dict) crypto.load_privatekey( crypto.FILETYPE_PEM, secret_dict['private_key']) RSA.importKey(secret_dict['public_key'])
def generate_sha1_rsa_md5_signature(self, data): '''Generates SHA1-RSA-MD5 hash required for receipt signature (ZKI)''' key_pem = open(self.key_path).read() if self.key_passphrase: pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, key_pem, self.key_passphrase) else: pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, key_pem) signature = crypto.sign(pkey, data, 'sha1') signature = md5(signature).hexdigest() return signature
def pemf(self, passphrase): pem = crypto.X509() blump = self.pkey key = crypto.load_privatekey(crypto.FILETYPE_PEM, self.pkey) cert = crypto.load_certificate(crypto.FILETYPE_PEM, self.x509 + "\n" + self.profile.ca.ca_cert) pem.set_privatekey(key) pem.set_certificate(cert)
def pkcs12(self, passphrase): p12 = crypto.PKCS12() key = crypto.load_privatekey(crypto.FILETYPE_PEM, self.pkey) cert = crypto.load_certificate(crypto.FILETYPE_PEM, self.x509 + "\n" + self.profile.ca.ca_cert) p12.set_privatekey(key) p12.set_certificate(cert) return p12.export(passphrase)
def pkcs12(self, passphrase): p12 = crypto.PKCS12() key = crypto.load_privatekey(crypto.FILETYPE_PEM, self.ca_key) cert = crypto.load_certificate(crypto.FILETYPE_PEM, self.ca_cert) p12.set_privatekey(key) p12.set_certificate(cert) return crypto.dump_pkcs12(p12,passphrase, "")
def _get_pem_key(credentials): """Gets private key for a PEM payload from a credentials object. :type credentials: :class:`service_account.ServiceAccountCredentials`, :param credentials: The credentials used to create a private key for signing text. :rtype: :class:`OpenSSL.crypto.PKey` :returns: A PKey object used to sign text. :raises: `TypeError` if `credentials` is the wrong type. `EnvironmentError` if `crypto` did not import successfully. """ if isinstance(credentials, ServiceAccountCredentials): if credentials._private_key_pkcs12 is not None: # Take our PKCS12 (.p12) text and convert to PEM text. pem_text = crypt.pkcs12_key_as_pem( credentials._private_key_pkcs12, credentials._private_key_password) else: pem_text = credentials._private_key_pkcs8_pem else: raise TypeError((credentials, 'not a valid service account credentials type')) if crypto is None: raise EnvironmentError( 'pyOpenSSL must be installed to load a private key') return crypto.load_privatekey(crypto.FILETYPE_PEM, pem_text)
def test_get_credentials(self): # Test output from get_trustroots assert isinstance(_mu.credentials, tuple) cert = crypto.load_certificate(crypto.FILETYPE_PEM, _mu.credentials[0]) key = crypto.load_privatekey(crypto.FILETYPE_PEM, _mu.credentials[1]) assert isinstance(cert, crypto.X509) assert isinstance(key, crypto.PKey)
def import_srv_crt_to_keystore(): config = hookenv.config() for cert_type in ('server', 'client'): password = keystore_password() crt_path = os.path.join( KAFKA_REST_DATA, "{}.crt".format(cert_type) ) key_path = os.path.join( KAFKA_REST_DATA, "{}.key".format(cert_type) ) if os.path.isfile(crt_path) and os.path.isfile(key_path): with open(crt_path, 'rt') as f: cert = f.read() loaded_cert = crypto.load_certificate( crypto.FILETYPE_PEM, cert ) if not data_changed( 'confluent_kafka_rest{}_certificate'.format(cert_type), cert ): if not config['ssl_key_password']: log('server certificate of key file missing') return with open(key_path, 'rt') as f: loaded_key = crypto.load_privatekey( crypto.FILETYPE_PEM, f.read() ) with tempfile.NamedTemporaryFile() as tmp: log('server certificate changed') keystore_path = os.path.join( KAFKA_REST_DATA, "confluent_kafka_rest.{}.jks".format(cert_type) ) if os.path.isfile(keystore_path): os.remove(keystore_path) pkcs12 = crypto.PKCS12Type() pkcs12.set_certificate(loaded_cert) pkcs12.set_privatekey(loaded_key) pkcs12_data = pkcs12.export(password) log('opening tmp file {}'.format(tmp.name)) # write cert and private key to the pkcs12 file tmp.write(pkcs12_data) tmp.flush() log('importing pkcs12') # import the pkcs12 into the keystore check_call([ 'keytool', '-v', '-importkeystore', '-srckeystore', str(tmp.name), '-srcstorepass', password, '-srcstoretype', 'PKCS12', '-destkeystore', keystore_path, '-deststoretype', 'JKS', '-deststorepass', password, '--noprompt' ]) set_state('confluent_kafka_rest.{}.keystore.saved'.format(cert_type)) remove_state('confluent_kafka_rest.started') remove_state('tls_client.certs.changed')
def load_privatekey(key, filetype=FILETYPE_PEM): """Loads obj private key object from string.""" return crypto.load_privatekey(filetype, key)
server = os.environ['deploy_host'] username = os.environ['deploy_user'] password = os.environ['deploy_password'] remotepath = os.environ['deploy_folder'] key_filename = os.path.join(os.environ['src_dir'], 'build_tools', 'openmeeg_deploy_key.pem') if __name__ == '__main__': if len(sys.argv) == 1: print('nothing to upload') sys.exit(0) # load the encrypted file with open(key_filename, 'rb') as f: priv = f.read() pkey = load_privatekey(FILETYPE_PEM, priv, passphrase=password) priv = dump_privatekey(FILETYPE_PEM, pkey) # hack on the header priv = priv.replace('BEGIN ', 'BEGIN RSA ') key_filename += '.dec' with open(key_filename, 'w') as f: f.write(priv) ssh = paramiko.SSHClient() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) ssh.connect(server, username=username, key_filename=key_filename) sftp = ssh.open_sftp()
def load_privatekey(buf, passphrase=None): return crypto.load_privatekey( crypto.FILETYPE_PEM, buf, passphrase=lambda x: str(passphrase) if passphrase else '' )
def make_cert_p12(cert,key): p12 = crypto.PKCS12() p12.set_certificate(cert) p12.set_privatekey(key) #p12.set_friendlyname(b"test") return p12.export('123456') # passwaord is 123456 if __name__ == "__main__": try: config_ca, config_cert = certerator_config() # Firstly, sort out the CA file if os.path.isfile(config_ca['cert_filename']) and os.path.isfile(config_ca['cert_key']): sys.stdout.write("Reusing "+config_ca['cert_filename']+" as the CA\n") ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM, file(config_ca['cert_filename']).read()) ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, file(config_ca['cert_key']).read()) sys.stdout.write(" SHA1 CA Fingerprint: "+ca_cert.digest('sha1')+"\n") else: sys.stdout.write("Generating new CA...") sys.stdout.flush() ca_cert, ca_key = generate_ca(config_ca) sys.stdout.write("..done\n") open(config_ca['cert_filename'], "w").write(crypto.dump_certificate(crypto.FILETYPE_PEM, ca_cert)) open(config_ca['cert_der'], "wb").write(crypto.dump_certificate(crypto.FILETYPE_ASN1, ca_cert)) open(config_ca['cert_key'], "w").write(crypto.dump_privatekey(crypto.FILETYPE_PEM, ca_key)) open(config_ca['cert_p12'], "wb").write(make_ca_p12(ca_cert,ca_key)) sys.stdout.write(" Written PEM CA certificate to "+config_ca['cert_filename']+"\n") sys.stdout.write(" Written DER CA certificate to "+config_ca['cert_der']+"\n") sys.stdout.write(" Written CA private key to "+config_ca['cert_key']+"\n") sys.stdout.write(" Written CA PKCS12 (private key and certificate) to "+config_ca['cert_p12']+"\n") sys.stdout.write(" SHA1 CA Fingerprint: "+ca_cert.digest('sha1')+"\n")
ca_cert.get_subject().CN = 'Butterfly CA on %s' % socket.gethostname() fill_fields(ca_cert.get_subject()) ca_cert.set_serial_number(uuid.uuid4().int) ca_cert.gmtime_adj_notBefore(0) # From now ca_cert.gmtime_adj_notAfter(315360000) # to 10y ca_cert.set_issuer(ca_cert.get_subject()) # Self signed ca_cert.set_pubkey(ca_pk) ca_cert.sign(ca_pk, 'sha512') write(ca, crypto.dump_certificate(crypto.FILETYPE_PEM, ca_cert)) write(ca_key, crypto.dump_privatekey(crypto.FILETYPE_PEM, ca_pk)) os.chmod(ca_key, stat.S_IRUSR | stat.S_IWUSR) # 0o600 perms else: print('Root certificate found, using it') ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM, read(ca)) ca_pk = crypto.load_privatekey(crypto.FILETYPE_PEM, read(ca_key)) server_pk = crypto.PKey() server_pk.generate_key(crypto.TYPE_RSA, 2048) server_cert = crypto.X509() server_cert.get_subject().CN = host alt = 'subjectAltName' value = 'DNS:%s' % host server_cert.add_extensions([ crypto.X509Extension(alt.encode('utf-8'), False, value.encode('utf-8')) ]) fill_fields(server_cert.get_subject()) server_cert.set_serial_number(uuid.uuid4().int) server_cert.gmtime_adj_notBefore(0) # From now server_cert.gmtime_adj_notAfter(315360000) # to 10y
GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. Contact: [email protected] / 34 rue appienne 13480 - FRANCE. ''' filePath = "/Users/albookpro/Downloads/pyTLSpki/building/pki/CERTS/clients/clientKey.pem" #passphrase = False passphrase = b'azerty' if passphrase: try: sslkeyObject = crypto.load_privatekey( crypto.FILETYPE_PEM, open(filePath).read(), passphrase) except: print("Error reading key\n") exit(1) else: # if the key is passphrase protected, you will be interactively prompt for # it try: sslkeyObject = crypto.load_privatekey( crypto.FILETYPE_PEM, open(filePath).read()) except: print("Error reading key\n") exit(1) # you have now your OpenSSL.crypto.PKey object print(sslkeyObject)
def load(Class, data, format=crypto.FILETYPE_ASN1): return Class(crypto.load_privatekey(format, data))
def run(config=None, plugin_providers=None, product_name='webui', dev_mode=False, debug_mode=False, autologin=False): """ A global entry point for Webui. :param config: config file implementation instance to use :type config: :class:`wu.config.BaseConfig` :param plugin_providers: list of plugin providers to load plugins from :type plugin_providers: list(:class:`wu.plugins.PluginProvider`) :param str product_name: a product name to use :param bool dev_mode: enables dev mode (automatic resource recompilation) :param bool debug_mode: enables debug mode (verbose and extra logging) :param bool autologin: disables authentication and logs everyone in as the user running the panel. This is EXTREMELY INSECURE. """ if config is None: raise TypeError('`config` can\'t be None') reload_module(sys) if hasattr(sys, 'setdefaultencoding'): sys.setdefaultencoding('utf8') wu.product = product_name wu.debug = debug_mode wu.dev = dev_mode wu.dev_autologin = autologin wu.init() wu.log.set_log_params(tag='master', master_pid=os.getpid()) wu.context = Context() wu.config = config wu.plugin_providers = plugin_providers or [] logging.info('Loading config from %s', wu.config) wu.config.load() wu.config.ensure_structure() if wu.debug: logging.warn('Debug mode') if wu.dev: logging.warn('Dev mode') try: locale.setlocale(locale.LC_ALL, '') except locale.Error: logging.warning('Couldn\'t set default locale') # install a passthrough gettext replacement since all localization is handled in frontend # and _() is here only for string extraction __builtins__['_'] = lambda x: x logging.info('Webui Core %s', wu.version) logging.info('Detected platform: %s / %s', wu.platform, wu.platform_string) # Load plugins PluginManager.get(wu.context).load_all_from(wu.plugin_providers) if len(PluginManager.get(wu.context)) == 0: logging.warn('No plugins were loaded!') if wu.config.data['bind']['mode'] == 'unix': path = wu.config.data['bind']['socket'] if os.path.exists(path): os.unlink(path) listener = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) try: listener.bind(path) except OSError: logging.error('Could not bind to %s', path) sys.exit(1) if wu.config.data['bind']['mode'] == 'tcp': host = wu.config.data['bind']['host'] port = wu.config.data['bind']['port'] listener = socket.socket( socket.AF_INET6 if ':' in host else socket.AF_INET, socket.SOCK_STREAM) if wu.platform not in ['freebsd', 'osx']: try: listener.setsockopt(socket.IPPROTO_TCP, socket.TCP_CORK, 1) except socket.error: logging.warn('Could not set TCP_CORK') listener.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) logging.info('Binding to [%s]:%s', host, port) try: listener.bind((host, port)) except socket.error as e: logging.error('Could not bind: %s', str(e)) sys.exit(1) # Fix stupid socketio bug (it tries to do *args[0][0]) socket.socket.__getitem__ = lambda x, y: None listener.listen(10) gateway = GateMiddleware.get(wu.context) application = HttpRoot(HttpMiddlewareAggregator([gateway])).dispatch wu.server = SocketIOServer( listener, log=open(os.devnull, 'w'), application=application, handler_class=RequestHandler, policy_server=False, transports=[ str('websocket'), str('flashsocket'), str('xhr-polling'), str('jsonp-polling'), ], ) if wu.config.data['ssl']['enable'] and wu.config.data['bind'][ 'mode'] == 'tcp': try: context = SSL.Context(SSL.TLSv1_2_METHOD) except: context = SSL.Context(SSL.TLSv1_METHOD) context.set_session_id(str(id(context))) context.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3) context.set_cipher_list( 'ALL:!ADH:!EXP:!LOW:!RC2:!3DES:!SEED:!RC4:+HIGH:+MEDIUM') certificate = crypto.load_certificate( crypto.FILETYPE_PEM, open(wu.config.data['ssl']['certificate']).read()) private_key = crypto.load_privatekey( crypto.FILETYPE_PEM, open(wu.config.data['ssl']['certificate']).read()) context.use_certificate(certificate) context.use_privatekey(private_key) if wu.config.data['ssl']['client_auth']['enable']: # todo harden files logging.info('Enabling SSL client authentication') context.add_client_ca(certificate) context.get_cert_store().add_cert(certificate) verify_flags = SSL.VERIFY_PEER if wu.config.data['ssl']['client_auth']['force']: verify_flags |= SSL.VERIFY_FAIL_IF_NO_PEER_CERT context.set_verify( verify_flags, AuthenticationService.get( wu.context).client_certificate_callback) context.set_verify_depth(0) wu.server.ssl_args = {'server_side': True} wu.server.wrap_socket = lambda socket, **ssl: SSLSocket( context, socket) logging.info('SSL enabled') # auth.log try: syslog.openlog( ident=str(wu.product), facility=syslog.LOG_AUTH, ) except: syslog.openlog(wu.product) def cleanup(): if hasattr(cleanup, 'started'): return cleanup.started = True logging.info('Process %s exiting normally', os.getpid()) gevent.signal(signal.SIGINT, lambda: None) gevent.signal(signal.SIGTERM, lambda: None) if wu.master: gateway.destroy() p = psutil.Process(os.getpid()) for c in p.children(recursive=True): try: os.killpg(c.pid, signal.SIGTERM) os.killpg(c.pid, signal.SIGKILL) except OSError: pass def signal_handler(): cleanup() sys.exit(0) gevent.signal(signal.SIGINT, signal_handler) gevent.signal(signal.SIGTERM, signal_handler) wu.server.serve_forever() if not wu.master: # child process, server is stopped, wait until killed gevent.wait() if hasattr(wu.server, 'restart_marker'): logging.warn('Restarting by request') cleanup() fd = 20 # Close all descriptors. Creepy thing while fd > 2: try: os.close(fd) logging.debug('Closed descriptor #%i', fd) except OSError: pass fd -= 1 logging.warn('Will restart the process now') if '-d' in sys.argv: sys.argv.remove('-d') os.execv(sys.argv[0], sys.argv) else: if wu.master: logging.debug('Server stopped') cleanup()
def get_privatekey(self): privatekey = None if self.cert_privatekey: privatekey = crypto.load_privatekey(crypto.FILETYPE_PEM, self.cert_privatekey) return privatekey
def HttpdStart(session): """ Helper class to start web server Args: session: (?) session object """ if config.OpenWebif.enabled.value is True: global listener, site, sslsite port = config.OpenWebif.port.value temproot = buildRootTree(session) root = AuthResource(session, temproot) site = server.Site(root) site.displayTracebacks = config.OpenWebif.displayTracebacks.value # start http webserver on configured port try: if has_ipv6 and fileExists( '/proc/net/if_inet6') and version.major >= 12: # use ipv6 listener.append(reactor.listenTCP(port, site, interface='::')) else: # ipv4 only listener.append(reactor.listenTCP(port, site)) print("[OpenWebif] started on %i" % (port)) BJregisterService('http', port) except CannotListenError: print("[OpenWebif] failed to listen on Port %i" % (port)) if config.OpenWebif.https_clientcert.value is True and not os.path.exists( CA_FILE): # Disable https config.OpenWebif.https_enabled.value = False config.OpenWebif.https_enabled.save() # Inform the user session.open( MessageBox, "Cannot read CA certs for HTTPS access\nHTTPS access is disabled!", MessageBox.TYPE_ERROR) if config.OpenWebif.https_enabled.value is True: httpsPort = config.OpenWebif.https_port.value installCertificates(session) # start https webserver on port configured port try: try: key = crypto.load_privatekey(crypto.FILETYPE_PEM, open(KEY_FILE, 'rt').read()) cert = crypto.load_certificate( crypto.FILETYPE_PEM, open(CERT_FILE, 'rt').read()) print("[OpenWebif] CHAIN_FILE = %s" % CHAIN_FILE) chain = None if os.path.exists(CHAIN_FILE): chain = [ crypto.load_certificate( crypto.FILETYPE_PEM, open(CHAIN_FILE, 'rt').read()) ] print("[OpenWebif] ssl chain file found - loading") context = ssl.CertificateOptions(privateKey=key, certificate=cert, extraCertChain=chain) except: # THIS EXCEPTION IS ONLY CATCHED WHEN CERT FILES ARE BAD (look below for error) print( "[OpenWebif] failed to get valid cert files. (It could occure bad file save or format, removing...)" ) # removing bad files if os.path.exists(KEY_FILE): os.remove(KEY_FILE) if os.path.exists(CERT_FILE): os.remove(CERT_FILE) # regenerate new ones installCertificates(session) context = ssl.DefaultOpenSSLContextFactory( KEY_FILE, CERT_FILE) if config.OpenWebif.https_clientcert.value is True: ctx = context.getContext() ctx.set_verify( SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT, verifyCallback) ctx.load_verify_locations(CA_FILE) sslroot = AuthResource(session, temproot) sslsite = server.Site(sslroot) if has_ipv6 and fileExists( '/proc/net/if_inet6') and version.major >= 12: # use ipv6 listener.append( reactor.listenSSL(httpsPort, sslsite, context, interface='::')) else: # ipv4 only listener.append( reactor.listenSSL(httpsPort, sslsite, context)) print("[OpenWebif] started on", httpsPort) BJregisterService('https', httpsPort) except CannotListenError: print("[OpenWebif] failed to listen on Port", httpsPort) except: print("[OpenWebif] failed to start https, disabling...") # Disable https config.OpenWebif.https_enabled.value = False config.OpenWebif.https_enabled.save() # Streaming requires listening on 127.0.0.1:80 if port != 80: try: if has_ipv6 and fileExists( '/proc/net/if_inet6') and version.major >= 12: # use ipv6 # Dear Twisted devs: Learning English, lesson 1 - interface != address listener.append( reactor.listenTCP(80, site, interface='::1')) listener.append( reactor.listenTCP(80, site, interface='::ffff:127.0.0.1')) else: # ipv4 only listener.append( reactor.listenTCP(80, site, interface='127.0.0.1')) print("[OpenWebif] started stream listening on port 80") except CannotListenError: print("[OpenWebif] port 80 busy")
def _read_ca(self, file): self.cert = load_certificate(FILETYPE_PEM, open(file, 'rb').read()) self.key = load_privatekey(FILETYPE_PEM, open(file, 'rb').read())
# # SPDX-License-Identifier: MIT # from OpenSSL import crypto import os Import("env") s = 1 try: pkey = os.environ["FIRMWARE_SIGNING_PKEY"] except: s = 0 if s: if os.path.exists(pkey): try: with open(pkey, "r") as f: pkey = f.read() except: s = 0 if s: try: pk = crypto.load_privatekey(crypto.FILETYPE_PEM, pkey) except: s = 0 signing = "-DSIGNED_UPDATES=%d" % s env.Append(CPPDEFINES=[signing])
_ali_pubkey_py = RSA.importKey(ALIPAY_PUB_KEY) _ali_pubkey_tuyoo_py = RSA.importKey(ALIPAY_PUB_KEY_TUYOO) _shediao_pubkey_py = RSA.importKey(SHEDIAO_ALIPAY_PUB_KEY) _oppo_pubkey_py = RSA.importKey(OPPO_PUB_KEY) _jinli_pubkey_py = RSA.importKey(JINLI_PUB_KEY) _iTools_pubkey_py = RSA.importKey(iTools_pubkey_str) _kuaiyongpingguo_pubkey_py = RSA.importKey(KUAIYONGPINGGUO_PUB_KEY) _unionpay_private_key = RSA.importKey(UNIONPAY_PRIVATE_KEY) _jolo_pubkey_py = RSA.importKey(JOLO_PUB_KEY) _changba_pubkey_py = RSA.importKey(CHANGBA_PUB_KEY) _wandoujia_pubkey_py = RSA.importKey(WANDOUJIA_PUB_KEY) _jusdk_public_py = RSA.importKey(JUSDK_PUB_KEY) # for openssl... try: _ali_privkey = load_privatekey(FILETYPE_PEM, ALIPAY_PRIVATE_KEY) _shediao_privkey = load_privatekey(FILETYPE_PEM, SHEDIAO_ALIPAY_PRIVATE_KEY) _huafubao_privkey = load_privatekey(FILETYPE_PEM, HUAFUBAO_PRIVATE_KEY) _ali_certkey = load_certificate(FILETYPE_PEM, ALIPAY_CERT) _shediao_certkey = load_certificate(FILETYPE_PEM, SHEDIAO_ALIPAY_CERT) _huafubao_certkey = load_certificate(FILETYPE_PEM, HUAFUBAO_CERT_KEY) _unionpay_certkey = load_certificate(FILETYPE_PEM, UNIONPAY_CERT_KEY) except: traceback.print_exc() _ali_privkey = None _shediao_privkey = None _huafubao_privkey = None _ali_certkey = None _shediao_certkey = None _huafubao_certkey = None
def generate_files(self, config): tls_certificate_path = config["tls_certificate_path"] tls_private_key_path = config["tls_private_key_path"] tls_dh_params_path = config["tls_dh_params_path"] if not os.path.exists(tls_private_key_path): with open(tls_private_key_path, "w") as private_key_file: tls_private_key = crypto.PKey() tls_private_key.generate_key(crypto.TYPE_RSA, 2048) private_key_pem = crypto.dump_privatekey( crypto.FILETYPE_PEM, tls_private_key ) private_key_file.write(private_key_pem) else: with open(tls_private_key_path) as private_key_file: private_key_pem = private_key_file.read() tls_private_key = crypto.load_privatekey( crypto.FILETYPE_PEM, private_key_pem ) if not os.path.exists(tls_certificate_path): with open(tls_certificate_path, "w") as certificate_file: cert = crypto.X509() subject = cert.get_subject() subject.CN = config["server_name"] cert.set_serial_number(1000) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60) cert.set_issuer(cert.get_subject()) cert.set_pubkey(tls_private_key) cert.sign(tls_private_key, 'sha256') cert_pem = crypto.dump_certificate(crypto.FILETYPE_PEM, cert) certificate_file.write(cert_pem) if not os.path.exists(tls_dh_params_path): if GENERATE_DH_PARAMS: subprocess.check_call([ "openssl", "dhparam", "-outform", "PEM", "-out", tls_dh_params_path, "2048" ]) else: with open(tls_dh_params_path, "w") as dh_params_file: dh_params_file.write( "2048-bit DH parameters taken from rfc3526\n" "-----BEGIN DH PARAMETERS-----\n" "MIIBCAKCAQEA///////////JD9qiIWjC" "NMTGYouA3BzRKQJOCIpnzHQCC76mOxOb\n" "IlFKCHmONATd75UZs806QxswKwpt8l8U" "N0/hNW1tUcJF5IW1dmJefsb0TELppjft\n" "awv/XLb0Brft7jhr+1qJn6WunyQRfEsf" "5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT\n" "mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVS" "u57VKQdwlpZtZww1Tkq8mATxdGwIyhgh\n" "fDKQXkYuNs474553LBgOhgObJ4Oi7Aei" "j7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq\n" "5RXSJhiY+gUQFXKOWoqsqmj/////////" "/wIBAg==\n" "-----END DH PARAMETERS-----\n" )
from OpenSSL import crypto from socket import gethostname import os import subprocess #Reading the Private key generated using openssl(should be generated using ECDSA P256 curve) f = open("ecdsa-sha256-signer.key.pem") pv_buf = f.read() f.close() priv_key = crypto.load_privatekey(crypto.FILETYPE_PEM, pv_buf) #Reading the certificate generated using openssl(should be generated using ECDSA P256 curve) f = open("ecdsa-sha256-signer.crt.pem") ss_buf = f.read() f.close() ss_cert = crypto.load_certificate(crypto.FILETYPE_PEM, ss_buf) #opening the firmware_is.bin and getting the number of padding bytes fw_bin = open('./Debug/Exe/firmware_is.bin', 'br').read() fw_bin_size = os.path.getsize("./Debug/Exe/firmware_is.bin") fw_padding = 1024-(fw_bin_size%1024) #padding 0's to make the last block of OTA equal to an integral multiple of block size x = bytes([0] * fw_padding) #append the 0 padding bytes f = open("./Debug/Exe/firmware_is_pad.bin", 'wb') f.write(fw_bin) f.write(x) f.close()
def read_tls_private_key(self, private_key_path): private_key_pem = self.read_file(private_key_path, "tls_private_key") return crypto.load_privatekey(crypto.FILETYPE_PEM, private_key_pem)
def do_userCERT(self, params): tlscfg = cfg user_cfg = cfg.get("tls_user_config") if user_cfg: tlscfg = OpenSIPSCLIConfig() tlscfg.parse(user_cfg) cn = tlscfg.read_param( "tls_user_common_name", "input the hostname of the website the certificate is for", "www.open.ro") user_dir = tlscfg.read_param("tls_user_dir", "user director", "/etc/opensips/tls/user/") cert_file = tlscfg.read_param("tls_user_cert_file", "cert_file", "user-cert.pem") key_file = tlscfg.read_param("tls_user_key_file", "key_file", "user-privkey.pem") calist_file = tlscfg.read_param("tls_user_calist_file", "cert_file", "user-calist.pem") c_f = join(user_dir, cert_file) k_f = join(user_dir, key_file) ca_f = join(user_dir, calist_file) create_cert = False if not exists(c_f) or not exists(k_f): create_cert = True else: if tlscfg.read_param( "tls_user_overwrite", "user certificate already exists, do you want to overwrite it?", "yes", True): create_cert = True if create_cert: cacert = tlscfg.read_param("tls_user_cacert", "cert_file", "/etc/opensips/tls/rootCA/cacert.pem") cakey = tlscfg.read_param( "tls_user_cakey", "key_file", "/etc/opensips/tls/rootCA/private/cakey.pem") ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM, open(cacert, 'rt').read()) ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, open(cakey, 'rt').read()) # create a key pair key = crypto.PKey() key_size = int( tlscfg.read_param("tls_user_key_size", "key_size", 4096)) key.generate_key(crypto.TYPE_RSA, key_size) # create a self-signed cert cert = crypto.X509() cert.get_subject().C = tlscfg.read_param("tls_user_country", "country", "ro") cert.get_subject().ST = tlscfg.read_param("tls_user_state", "state", "Braila") cert.get_subject().L = tlscfg.read_param("tls_user_city", "city", "Braila") cert.get_subject().O = tlscfg.read_param("tls_user_organisation", "organization", "opensips") cert.get_subject().OU = tlscfg.read_param( "tls_user_organisational_unit", "organisational unit", "project") cert.get_subject().CN = cn serial = int(tlscfg.read_param("tls_user_serial", "serial", 2)) cert.set_serial_number(serial) cert.gmtime_adj_notBefore(0) notafter = int( tlscfg.read_param("tls_user_notafter", "duration", 315360000)) cert.gmtime_adj_notAfter(notafter) cert.set_issuer(ca_cert.get_subject()) cert.set_pubkey(key) md = tlscfg.read_param("tls_user_md", "md", "sha1") cert.sign(ca_key, md) if not exists(dirname(c_f)): makedirs(dirname(c_f)) try: open(c_f, "wt").write( crypto.dump_certificate(crypto.FILETYPE_PEM, cert).decode('utf-8')) except Exception as e: logger.error(e) if not exists(dirname(k_f)): makedirs(dirname(k_f)) try: open(k_f, "wt").write( crypto.dump_privatekey(crypto.FILETYPE_PEM, key).decode('utf-8')) except Exception as e: logger.error(e) if not exists(dirname(ca_f)): makedirs(dirname(ca_f)) try: open(ca_f, "wt").write( crypto.dump_certificate(crypto.FILETYPE_PEM, ca_cert).decode('utf-8')) except Exception as e: logger.error(e) logger.info("user certificate created in " + c_f) logger.info("user private key created in " + k_f) logger.info("user calist(ca chain of trust) created in " + ca_f)
def _sign_cert(self, cert): """ Sign the certificate with the given key """ with open(self._get_key_link(self.commonname), 'r') as private_file: data = private_file.read() pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, data) cert.sign(pkey, 'sha256')
def __init__(self, url, uid, pwd=None, cert_name=None, key=None, verify_ssl=False, appcenter_user=False, subscription_enabled=True, proxies=None, relogin_forever=False): """ :param url: String containing the APIC URL such as ``https://1.2.3.4`` :param uid: String containing the username that will be used as\ part of the the APIC login credentials. :param pwd: String containing the password that will be used as\ part of the the APIC login credentials. :param cert_name: String containing the certificate name that will be used\ as part of the the APIC certificate authentication credentials. :param key: String containing the private key file name that will be used\ as part of the the APIC certificate authentication credentials. :param verify_ssl: Used only for SSL connections with the APIC.\ Indicates whether SSL certificates must be verified. Possible\ values are True and False with the default being False. :param appcenter_user: Set True when using certificate authentication from\ the context of an APIC appcenter app :param proxies: Optional dictionary containing the proxies passed\ directly to the Requests library :param relogin_forever: Boolean that when set to True will attempt to re-login forever regardless of the error returned from APIC. """ if not isinstance(url, str): url = str(url) if not isinstance(uid, str): uid = str(uid) if not isinstance(pwd, str): pwd = str(pwd) if not isinstance(url, str): raise CredentialsError("The URL or APIC address must be a string") if not isinstance(uid, str): raise CredentialsError("The user ID must be a string") if (pwd is None or pwd == 'None') and not cert_name and not key: raise CredentialsError("An authentication method must be provided") if pwd: if not isinstance(pwd, str): raise CredentialsError("The password must be a string") if cert_name: if not isinstance(cert_name, str): raise CredentialsError("The certificate name must be a string") if key: if not isinstance(key, str): raise CredentialsError("The key path must be a string") if (cert_name and not key) or (not cert_name and key): raise CredentialsError("Both a certificate name and private key must be provided") if not isinstance(relogin_forever, bool): raise CredentialsError("relogin_forever must be a boolean") if 'https://' in url: self.ipaddr = url[len('https://'):] else: self.ipaddr = url[len('http://'):] self.uid = uid self.pwd = pwd self.key = key self.cert_name = cert_name self.appcenter_user = appcenter_user if key and cert_name: if NO_OPENSSL: raise ImportError('Cannot use certificate authentication because pyopenssl is not available.\n\ Please install it using "pip install pyopenssl"') self.cert_auth = True # Cert based auth does not support subscriptions :( # there's an exception for appcenter_user relying on the requestAppToken api if subscription_enabled and not self.appcenter_user: logging.warning('Disabling subscription support as certificate authentication does not support it.') logging.warning('Consider passing subscription_enabled=False to hide this warning message.') subscription_enabled = False # Disable the warnings for SSL if not verify_ssl: try: requests.packages.urllib3.disable_warnings(InsecureRequestWarning) except (AttributeError, NameError): pass with open(self.key, 'r') as f: key_text = f.read() try: self._x509Key = load_privatekey(FILETYPE_PEM, key_text) except Exception: raise TypeError('Could not load private key file %s\ \nAre you sure you provided the private key? (Not the certificate)' % self.key) else: self.cert_auth = False # self.api = 'http://%s:80/api/' % self.ip # 7580 self.api = url self.session = None self.verify_ssl = verify_ssl self.token = None self.login_thread = Login(self) self._relogin_callbacks = [] self.login_error = False self._logged_in = False self.relogin_forever = relogin_forever self._subscription_enabled = subscription_enabled self._proxies = proxies if subscription_enabled: self.subscription_thread = Subscriber(self) self.subscription_thread.daemon = True self.subscription_thread.start()
def import_key(client, vault_base_url, key_name, destination=None, key_ops=None, disabled=False, expires=None, not_before=None, tags=None, pem_file=None, pem_password=None, byok_file=None): """ Import a private key. Supports importing base64 encoded private keys from PEM files. Supports importing BYOK keys into HSM for premium KeyVaults. """ from azure.keyvault.models import KeyAttributes, JsonWebKey def _to_bytes(hex_string): # zero pads and decodes a hex string if len(hex_string) % 2: hex_string = '0{}'.format(hex_string) return codecs.decode(hex_string, 'hex_codec') def _set_rsa_parameters(dest, src): # map OpenSSL parameter names to JsonWebKey property names conversion_dict = { 'modulus': 'n', 'publicExponent': 'e', 'privateExponent': 'd', 'prime1': 'p', 'prime2': 'q', 'exponent1': 'dp', 'exponent2': 'dq', 'coefficient': 'qi' } # regex: looks for matches that fit the following patterns: # integerPattern: 65537 (0x10001) # hexPattern: # 00:a0:91:4d:00:23:4a:c6:83:b2:1b:4c:15:d5:be: # d8:87:bd:c9:59:c2:e5:7a:f5:4a:e7:34:e8:f0:07: # The desired match should always be the first component of the match regex = re.compile(r'([^:\s]*(:[^\:)]+\))|([^:\s]*(:\s*[0-9A-Fa-f]{2})+))') # regex2: extracts the hex string from a format like: 65537 (0x10001) regex2 = re.compile(r'(?<=\(0x{1})([0-9A-Fa-f]*)(?=\))') key_params = crypto.dump_privatekey(crypto.FILETYPE_TEXT, src).decode('utf-8') for match in regex.findall(key_params): comps = match[0].split(':', 1) name = conversion_dict.get(comps[0], None) if name: value = comps[1].replace(' ', '').replace('\n', '').replace(':', '') try: value = _to_bytes(value) except Exception: # pylint:disable=broad-except # if decoding fails it is because of an integer pattern. Extract the hex # string and retry value = _to_bytes(regex2.findall(value)[0]) setattr(dest, name, value) key_attrs = KeyAttributes(not disabled, not_before, expires) key_obj = JsonWebKey(key_ops=key_ops) if pem_file: key_obj.kty = 'RSA' logger.info('Reading %s', pem_file) with open(pem_file, 'r') as f: pem_data = f.read() # load private key and prompt for password if encrypted try: pem_password = str(pem_password).encode() if pem_password else None # despite documentation saying password should be a string, it needs to actually # be UTF-8 encoded bytes pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, pem_data, pem_password) except crypto.Error: raise CLIError( 'Import failed: Unable to decrypt private key. --pem-password may be incorrect.') except TypeError: raise CLIError('Invalid --pem-password.') logger.info('setting RSA parameters from PEM data') _set_rsa_parameters(key_obj, pkey) elif byok_file: with open(byok_file, 'rb') as f: byok_data = f.read() key_obj.kty = 'RSA-HSM' key_obj.t = byok_data return client.import_key( vault_base_url, key_name, key_obj, destination == 'hsm', key_attrs, tags)
# Assume the configuration target was an SMF # FMRI and let svcprop fail with an error if # it wasn't. svc_fmri = dconf.target else: svc_fmri = ssl_dialog cmdline = "/usr/bin/svcprop -p " \ "pkg_secure/ssl_key_passphrase {0}".format(svc_fmri) # The key file requires decryption, but the user has requested # exec-based authentication, so it will have to be decoded first # to an un-named temporary file. try: with open(ssl_key_file, "rb") as key_file: pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, key_file.read(), get_ssl_passphrase) key_data = tempfile.NamedTemporaryFile(dir=pkg_root, delete=True) key_data.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, pkey)) key_data.seek(0) except EnvironmentError as _e: emsg("pkg.depotd: unable to read the SSL private key " "file: {0}".format(_e)) sys.exit(1) except crypto.Error as _e: emsg("pkg.depotd: authentication or cryptography " "failure while attempting to decode\nthe SSL " "private key file: {0}".format(_e)) sys.exit(1) else:
async def cert_extend(self, cert): """Extend certificate with some useful attributes.""" if cert.get('signedby'): # We query for signedby again to make sure it's keys do not have the "cert_" prefix and it has gone through # the cert_extend method cert['signedby'] = await self.middleware.call( 'datastore.query', 'system.certificateauthority', [('id', '=', cert['signedby']['id'])], { 'prefix': 'cert_', 'extend': 'certificate.cert_extend', 'get': True }) # convert san to list cert['san'] = (cert.pop('san', '') or '').split() if cert['serial'] is not None: cert['serial'] = int(cert['serial']) if cert['type'] in (CA_TYPE_EXISTING, CA_TYPE_INTERNAL, CA_TYPE_INTERMEDIATE): root_path = CERT_CA_ROOT_PATH else: root_path = CERT_ROOT_PATH cert['root_path'] = root_path cert['certificate_path'] = os.path.join(root_path, '{0}.crt'.format(cert['name'])) cert['privatekey_path'] = os.path.join(root_path, '{0}.key'.format(cert['name'])) cert['csr_path'] = os.path.join(root_path, '{0}.csr'.format(cert['name'])) def cert_issuer(cert): issuer = None if cert['type'] in (CA_TYPE_EXISTING, CERT_TYPE_EXISTING): issuer = "external" elif cert['type'] == CA_TYPE_INTERNAL: issuer = "self-signed" elif cert['type'] in (CERT_TYPE_INTERNAL, CA_TYPE_INTERMEDIATE): issuer = cert['signedby'] elif cert['type'] == CERT_TYPE_CSR: issuer = "external - signature pending" return issuer cert['issuer'] = cert_issuer(cert) cert['chain_list'] = [] if cert['chain']: certs = RE_CERTIFICATE.findall(cert['certificate']) else: certs = [cert['certificate']] signing_CA = cert['issuer'] # Recursively get all internal/intermediate certificates # FIXME: NONE HAS BEEN ADDED IN THE FOLLOWING CHECK FOR CSR'S WHICH HAVE BEEN SIGNED BY A CA while signing_CA not in [ "external", "self-signed", "external - signature pending", None ]: certs.append(signing_CA['certificate']) signing_CA['issuer'] = cert_issuer(signing_CA) signing_CA = signing_CA['issuer'] cert_obj = None try: for c in certs: # XXX Why load certificate if we are going to dump it right after? # Maybe just to verify its integrity? # Logic copied from freenasUI cert_obj = crypto.load_certificate(crypto.FILETYPE_PEM, c) cert['chain_list'].append( crypto.dump_certificate(crypto.FILETYPE_PEM, cert_obj).decode()) except Exception: self.logger.debug('Failed to load certificate {0}'.format( cert['name']), exc_info=True) try: if cert['privatekey']: key_obj = crypto.load_privatekey(crypto.FILETYPE_PEM, cert['privatekey']) cert['privatekey'] = crypto.dump_privatekey( crypto.FILETYPE_PEM, key_obj).decode() except Exception: self.logger.debug('Failed to load privatekey {0}'.format( cert['name']), exc_info=True) try: if cert['CSR']: csr_obj = crypto.load_certificate_request( crypto.FILETYPE_PEM, cert['CSR']) cert['CSR'] = crypto.dump_certificate_request( crypto.FILETYPE_PEM, csr_obj).decode() except Exception: self.logger.debug('Failed to load csr {0}'.format(cert['name']), exc_info=True) cert['internal'] = 'NO' if cert['type'] in ( CA_TYPE_EXISTING, CERT_TYPE_EXISTING) else 'YES' obj = None # date not applicable for CSR cert['from'] = None cert['until'] = None if cert['type'] == CERT_TYPE_CSR: obj = csr_obj elif cert_obj: obj = crypto.load_certificate(crypto.FILETYPE_PEM, cert['certificate']) notBefore = obj.get_notBefore() t1 = dateutil.parser.parse(notBefore) t2 = t1.astimezone(dateutil.tz.tzutc()) cert['from'] = t2.ctime() notAfter = obj.get_notAfter() t1 = dateutil.parser.parse(notAfter) t2 = t1.astimezone(dateutil.tz.tzutc()) cert['until'] = t2.ctime() if obj: cert['DN'] = '/' + '/'.join([ '%s=%s' % (c[0].decode(), c[1].decode()) for c in obj.get_subject().get_components() ]) return cert
def is_private_key_valid(expected, observed): k1 = crypto.load_privatekey(crypto.FILETYPE_PEM, expected) k2 = crypto.load_privatekey(crypto.FILETYPE_PEM, observed) return (crypto.dump_privatekey(crypto.FILETYPE_PEM, k1) == crypto.dump_privatekey( crypto.FILETYPE_PEM, k2))
ca_cert_path = sys.argv[2] out_cert_path = sys.argv[3] n_outcert = int(sys.argv[4]) if (len(sys.argv) > 5): configfile = sys.argv[5] else: configfile = "" fconf = franken_conf_parse.parse_config(configfile) certs = franken_util.load_dir(input_cert_path) with open(ca_cert_path, 'rt') as ca_cert_file: ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM, ca_cert_file.read()) with open(ca_cert_path, 'rt') as ca_key_file: ca_private_key = crypto.load_privatekey(crypto.FILETYPE_PEM, \ ca_key_file.read()) sys.stdout.write("Generating frankencerts") max_certs_in_mem = 200 nc = n_outcert / max_certs_in_mem remaining_cnt = n_outcert for i in range(nc + 1): if (remaining_cnt > max_certs_in_mem): franken_certs = franken_core.generate(certs, ca_cert, ca_private_key, \ fconf, count=max_certs_in_mem) remaining_cnt = remaining_cnt - max_certs_in_mem else: franken_certs = franken_core.generate(certs, ca_cert, ca_private_key, \ fconf, count=remaining_cnt) remaining_cnt = 0 franken_util.dump_certs(franken_certs, "frankencert", out_cert_path,
def _generate_csr_from_private_key(order_model, project_model): """Generate a CSR from the private key. :param: order_model - order for the request :param: project_model - project for this request :return: CSR (certificate signing request) in PEM format :raise: :class:`StoredKeyPrivateKeyNotFound` if private key not found :class:`StoredKeyContainerNotFound` if container not found """ container_id, container = _get_container_from_order_meta( order_model, project_model) if not container: raise excep.StoredKeyContainerNotFound(container_id) passphrase = None private_key = None for cs in container.container_secrets: secret_repo = repos.get_secret_repository() if cs.name == 'private_key': private_key_model = secret_repo.get(cs.secret_id, project_model.external_id) private_key = plugin.get_secret('application/pkcs8', private_key_model, project_model) elif cs.name == 'private_key_passphrase': passphrase_model = secret_repo.get(cs.secret_id, project_model.external_id) passphrase = plugin.get_secret('text/plain;charset=utf-8', passphrase_model, project_model) passphrase = str(passphrase) if not private_key: raise excep.StoredKeyPrivateKeyNotFound(container.id) if passphrase is None: pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, private_key) else: pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, private_key, passphrase.encode('utf-8')) subject_name = order_model.meta.get('subject_dn') subject_name_dns = parse_dn(subject_name) extensions = order_model.meta.get('extensions', None) req = crypto.X509Req() subj = req.get_subject() # Note: must iterate over the DNs in reverse order, or the resulting # subject name will be reversed. for ava in reversed(subject_name_dns): key, val, extra = ava setattr(subj, key.upper(), val) req.set_pubkey(pkey) if extensions: # TODO(alee-3) We need code here to parse the encoded extensions and # convert them into X509Extension objects. This code will also be # used in the validation code. Commenting out for now till we figure # out how to do this. # req.add_extensions(extensions) pass req.sign(pkey, 'sha256') csr = crypto.dump_certificate_request(crypto.FILETYPE_PEM, req) return csr
def generate_key(): key = ec.generate_private_key(ec.SECP256R1(), default_backend()) key_pem = key.private_bytes(encoding=Encoding.PEM, format=PrivateFormat.TraditionalOpenSSL, encryption_algorithm=NoEncryption()) return crypto.load_privatekey(crypto.FILETYPE_PEM, key_pem)
def _generateSignature(self, uri, data, forceManual=False): """Generate a signature over the uri and data. This signature is used to authenticate with the APIC and must be calculated for each transaction because the signature is calculated using the uri and data if any. Args: uri (str): The string that represents the URI for the transaction. The uri is everything from api to the end of the options. data (str): The payload for the request that will be sent. forceManual (bool): If True, the signature will be calculated using subprocess to execute openssl commands, otherwise pyOpenSSL is used. Returns: str: A string containing the cookie that should be used in the request. """ # One global that is not changing in the rest of the file is ok global INLINE_SIGNATURE # pylint:disable=global-statement # Added for easier testing of each signature generation method if forceManual: INLINE_SIGNATURE = False privateKeyStr = str(self.privateKey) certDn = str(self.certificateDn) if uri.endswith('?'): uri = uri[:-1] uri = uri.replace('//', '/') if INLINE_SIGNATURE: if data is None: payLoad = 'GET' + uri else: payLoad = 'POST' + uri + data pkey = load_privatekey(FILETYPE_PEM, privateKeyStr) signedDigest = sign(pkey, payLoad.encode(), 'sha256') signature = base64.b64encode(signedDigest).decode() else: tmpFiles = [] tempDir = tempfile.mkdtemp() payloadFile = os.path.join(tempDir, "payload") keyFile = os.path.join(tempDir, "pkey") sigBinFile = keyFile + "_sig.bin" sigBaseFile = keyFile + "_sig.base64" if data is None: self.writeFile(payloadFile, mode="wt", fileData='GET' + uri) else: self.writeFile(payloadFile, mode="wt", fileData='POST' + uri + data) tmpFiles.append(payloadFile) self.writeFile(fileName=keyFile, mode="w", fileData=privateKeyStr) tmpFiles.append(keyFile) cmd = ["openssl", "dgst", "-sha256", "-sign", keyFile, payloadFile] cmd_out = self.runCmd(cmd) self.writeFile(fileName=sigBinFile, mode="wb", fileData=cmd_out) tmpFiles.append(sigBinFile) cmd = [ "openssl", "base64", "-in", keyFile + "_sig.bin", "-e", "-out", sigBaseFile ] self.runCmd(cmd) tmpFiles.append(sigBaseFile) sigBase64 = self.readFile(fileName=sigBaseFile) signature = "".join(sigBase64.splitlines()) for fileName in tmpFiles: try: os.remove(fileName) except: # pylint:disable=bare-except pass # pylint:disable=pointless-except try: os.rmdir(tempDir) except: # pylint:disable=bare-except pass # pylint:disable=pointless-except cookieFmt = ("APIC-Request-Signature=%s;" + " APIC-Certificate-Algorithm=v1.0;" + " APIC-Certificate-Fingerprint=fingerprint;" + " APIC-Certificate-DN=%s") return cookieFmt % (signature, certDn)
with open(cert_key, "wb") as cf: cf.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, server_pk)) print('Done') sys.exit(0) if tornado.options.options.generate_user_pkcs: from OpenSSL import crypto if not all(map(os.path.exists, [cert, cert_key, ca, ca_key])): print('Please generate certificates using --generate_certs before') sys.exit(1) user = tornado.options.options.generate_user_pkcs with open(ca, 'rb') as cf: ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM, cf.read()) with open(ca_key, 'rb') as cf: ca_pk = crypto.load_privatekey(crypto.FILETYPE_PEM, cf.read()) client_pk = crypto.PKey() client_pk.generate_key(crypto.TYPE_RSA, 2048) client_cert = crypto.X509() client_cert.get_subject().CN = user client_cert.set_serial_number(uuid.uuid4().int) client_cert.gmtime_adj_notBefore(0) # From now client_cert.gmtime_adj_notAfter(315360000) # to 10y client_cert.set_issuer(ca_cert.get_subject()) # Signed by ca client_cert.set_pubkey(client_pk) client_cert.sign(client_pk, 'sha1') client_cert.sign(ca_pk, 'sha1') pfx = crypto.PKCS12()