def get_cert_path(self, cn): cnp = os.path.sep.join( [self.cache_dir, '%s-%s.pem' % (self.CERT_PREFIX, cn)]) if os.path.exists(cnp): print("Cert already exists common_name=%s" % cn) else: print("Creating and signing cert common_name=%s" % cn) key = PKey() key.generate_key(TYPE_RSA, 2048) # Generate CSR req = X509Req() req.get_subject().CN = cn req.set_pubkey(key) req.sign(key, 'sha1') # Sign CSR cert = X509() cert.set_subject(req.get_subject()) cert.set_serial_number(123) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(31536000) cert.set_issuer(self.cert.get_subject()) cert.set_pubkey(req.get_pubkey()) cert.sign(self.key, 'sha256') with open(cnp, 'wb+') as f: f.write(dump_privatekey(FILETYPE_PEM, key)) f.write(dump_certificate(FILETYPE_PEM, cert)) print("Created cert common_name=%s location=%s" % (cn, cnp)) return cnp
class RSA: def __init__(self): self.pk = PKey() self.pk.generate_key(TYPE_RSA, 1024) self.private_key = self.strip_pri( dump_privatekey(FILETYPE_PEM, self.pk)) self.public_key = self.strip_pub(dump_publickey(FILETYPE_PEM, self.pk)) def strip_pub(self, content): content = content.replace(b'-----BEGIN PUBLIC KEY-----\n', b'') content = content.replace(b'\n-----END PUBLIC KEY-----\n', b'') content = content.replace(b'\n', b'') return content def strip_pri(self, content): content = content.replace(b'-----BEGIN PRIVATE KEY-----\n', b'') content = content.replace(b'\n-----END PRIVATE KEY-----\n', b'') content = content.replace(b'\n', b'') return content def get_public_key(self): return self.public_key.decode('utf8') def get_private_key(self): return self.private_key.decode('utf8')
def __getitem__(self, cn): cnp = path.sep.join([self.cache_dir, '.pymp_%s.pem' % cn]) if not path.exists(cnp): # Crea Key key = PKey() key.generate_key(TYPE_RSA, 2048) # Crea CSR # revisar : http://stackoverflow.com/questions/24043226/generating-a-csr-with-python-crypto req = X509Req() req.get_subject().CN = cn req.set_pubkey(key) req.sign(key, 'sha1') # Firmar CSR cert = X509() cert.set_subject(req.get_subject()) cert.set_serial_number(self.serial) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(31536000) cert.set_issuer(self.cert.get_subject()) cert.set_pubkey(req.get_pubkey()) cert.sign(self.key, 'sha1') with open(cnp, 'wb+') as f: f.write(dump_privatekey(FILETYPE_PEM, key)) f.write(dump_certificate(FILETYPE_PEM, cert)) return cnp
def test_set_passwd_cb(self): """ L{Context.set_passwd_cb} accepts a callable which will be invoked when a private key is loaded from an encrypted PEM. """ key = PKey() key.generate_key(TYPE_RSA, 128) pemFile = self.mktemp() fObj = file(pemFile, 'w') passphrase = "foobar" fObj.write(dump_privatekey(FILETYPE_PEM, key, "blowfish", passphrase)) fObj.close() calledWith = [] def passphraseCallback(maxlen, verify, extra): calledWith.append((maxlen, verify, extra)) return passphrase context = Context(TLSv1_METHOD) context.set_passwd_cb(passphraseCallback) context.use_privatekey_file(pemFile) self.assertTrue(len(calledWith), 1) self.assertTrue(isinstance(calledWith[0][0], int)) self.assertTrue(isinstance(calledWith[0][1], int)) self.assertEqual(calledWith[0][2], None)
def create_csr(csr_file_path): private_key_path = re.sub(r".(pem|crt)$", ".key", cert_file_path, flags=re.IGNORECASE) # create public/private key key = PKey() key.generate_key(TYPE_RSA, 2048) # Generate CSR req = X509Req() req.get_subject().CN = 'localhost' req.get_subject().O = 'XYZ Widgets Inc' req.get_subject().OU = 'IT Department' req.get_subject().L = 'Seattle' req.get_subject().ST = 'Washington' req.get_subject().C = 'US' req.get_subject().emailAddress = '*****@*****.**' req.set_pubkey(key) req.sign(key, 'sha256') with open(csr_file_path, 'wb+') as f: f.write(dump_certificate_request(FILETYPE_PEM, req)) with open(private_key_path, 'wb+') as f: f.write(dump_privatekey(FILETYPE_PEM, key))
def __getitem__(self, cn): cnp = path.sep.join([self.cache_dir, '.pymp_%s.pem' % cn]) if not path.exists(cnp): # create certificate key = PKey() key.generate_key(TYPE_RSA, 2048) # Generate CSR req = X509Req() req.get_subject().CN = cn req.set_pubkey(key) req.sign(key, 'sha1') # Sign CSR cert = X509() cert.set_subject(req.get_subject()) cert.set_serial_number(self.serial) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(31536000) cert.set_issuer(self.cert.get_subject()) cert.set_pubkey(req.get_pubkey()) cert.sign(self.key, 'sha1') with open(cnp, 'wb+') as f: f.write(dump_privatekey(FILETYPE_PEM, key)) f.write(dump_certificate(FILETYPE_PEM, cert)) return cnp
def create_dummy_certificate(certname,keyname,_dir, force=False) -> bool: if certname and keyname and _dir: if path.exists(_dir+keyname) and path.exists(_dir+certname) and not force: return True else: if path.exists(_dir+certname): remove(_dir+certname) if path.exists(_dir+keyname): remove(_dir+keyname) key = PKey() key.generate_key(TYPE_RSA, 4096) cert = X509() cert.set_serial_number(uuid4().int) cert.set_version(2) cert.get_subject().C = "US" cert.get_subject().ST = "WA" cert.get_subject().L = "127.0.0.1" cert.get_subject().O = "github.com/qeeqbox/analyzer" cert.get_subject().OU = "github.com/qeeqbox/analyzer" cert.get_subject().CN = "auto generated self signed certificate by qeeqbox/analyzer" cert.gmtime_adj_notBefore(-60 * 60 * 24 * 365 * 2) cert.gmtime_adj_notAfter(60 * 60 * 24 * 365 * 2) cert.set_issuer(cert.get_subject()) cert.set_pubkey(key) cert.add_extensions([X509Extension(b"basicConstraints", True, b"CA:TRUE, pathlen:0"), X509Extension(b"keyUsage", True, b"keyCertSign, cRLSign"), X509Extension(b"subjectKeyIdentifier", False, b"hash", subject=cert),]) cert.sign(key, 'sha256') with open(_dir+certname, 'wb') as f: f.write(dump_certificate(FILETYPE_PEM, cert)) with open(_dir+keyname, 'wb') as f: f.write(dump_privatekey(FILETYPE_PEM, key)) return True return False
def __getitem__(self, cn): cnp = os.path.sep.join([self.cache_dir, '.pymp_%s.pem' % cn]) if not os.path.exists(cnp): # create certificate key = PKey() key.generate_key(TYPE_RSA, 2048) # Generate CSR req = X509Req() req.get_subject().CN = cn req.set_pubkey(key) req.sign(key, 'sha256') # Sign CSR cert = X509() cert.set_subject(req.get_subject()) cert.set_serial_number(self.serial) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(31536000) cert.set_issuer(self.cert.get_subject()) cert.set_pubkey(req.get_pubkey()) cert.sign(self.key, 'sha256') with open(cnp, 'wb+') as f: f.write(dump_privatekey(self.filetype, key)) f.write(dump_certificate(self.filetype, cert)) return cnp
def make_cert(filename, cacert=None, cakey=None): key = PKey() key.generate_key(TYPE_RSA, 2048) cert = X509() subject = cert.get_subject() subject.C = b"TR" subject.ST = b"Çorum" subject.L = b"Başmakçı" subject.CN = b"localhost" subject.O = b"Mozilla Test" subject.OU = b"Autopush Test %s" % filename subject.emailAddress = b"*****@*****.**" subjectAltName = X509Extension(b'subjectAltName', False, b'DNS:localhost') cert.add_extensions([subjectAltName]) cert.set_serial_number(uuid.uuid4().int) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(60 * 60 * 24 * 365 * 100) cert.set_pubkey(key) if not cacert: # self sign cacert = cert cakey = key cert.set_issuer(cacert.get_subject()) cert.sign(cakey, 'sha1') with open(filename, 'wb') as fp: fp.write(dump_privatekey(FILETYPE_PEM, key)) fp.write(dump_certificate(FILETYPE_PEM, cert)) return cert, key
def _sign_ca(self, cn, cnp): # 使用合法的CA证书为代理程序生成服务器证书 # create certificate try: key = PKey() key.generate_key(TYPE_RSA, 2048) # Generate CSR req = X509Req() req.get_subject().CN = cn req.set_pubkey(key) req.sign(key, 'sha256') # Sign CSR cert = X509() cert.set_version(2) cert.set_subject(req.get_subject()) cert.set_serial_number(self.serial) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(31536000) cert.set_issuer(self.cert.get_subject()) ss = ("DNS:%s" % cn).encode(encoding="utf-8") cert.add_extensions([X509Extension(b"subjectAltName", False, ss)]) cert.set_pubkey(req.get_pubkey()) cert.sign(self.key, 'sha256') with open(cnp, 'wb+') as f: f.write(dump_privatekey(FILETYPE_PEM, key)) f.write(dump_certificate(FILETYPE_PEM, cert)) except Exception as e: raise Exception("generate CA fail:{}".format(str(e)))
def _sign_ca(self,cn,cnp): #使用合法的CA证书为代理程序生成服务器证书 # create certificate try: key = PKey() key.generate_key(TYPE_RSA, 2048) # Generate CSR req = X509Req() req.get_subject().CN = cn req.set_pubkey(key) req.sign(key, 'sha256') # Sign CSR cert = X509() cert.set_version(2) cert.set_subject(req.get_subject()) cert.set_serial_number(self.serial) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(31536000) cert.set_issuer(self.cert.get_subject()) ss = ("DNS:%s" % cn).encode(encoding="utf-8") cert.add_extensions( [X509Extension(b"subjectAltName", False, ss)]) cert.set_pubkey(req.get_pubkey()) cert.sign(self.key, 'sha256') with open(cnp, 'wb+') as f: f.write(dump_privatekey(FILETYPE_PEM, key)) f.write(dump_certificate(FILETYPE_PEM, cert)) except Exception as e: raise Exception("generate CA fail:{}".format(str(e)))
def __getitem__(self, cn): ''' Gets the specified Certificate authority file if it already exists, else creates one! ''' cnp = path.sep.join([self.cache_dir, '.pymp_%s.pem' % cn]) if not path.exists(cnp): # create certificate key = PKey() key.generate_key(TYPE_RSA, 2048) # Generate CSR req = X509Req() req.get_subject().CN = cn req.set_pubkey(key) req.sign(key, 'sha1') # Sign CSR cert = X509() cert.set_subject(req.get_subject()) cert.set_serial_number(self.serial) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(31536000) cert.set_issuer(self.cert.get_subject()) cert.set_pubkey(req.get_pubkey()) cert.sign(self.key, 'sha1') with open(cnp, 'wb+') as f: f.write(dump_privatekey(FILETYPE_PEM, key)) f.write(dump_certificate(FILETYPE_PEM, cert)) return cnp
def make_certificate( ca_crt_path = 'ca.crt', ca_key_path = 'ca.key', server_crt_path = 'server.crt', server_key_path = 'server.key', vars=None): # make the certificat of CA # need passphrase ? ca_key = PKey() ca_key.generate_key(TYPE_RSA, 1024) dump_write(dump_privatekey(FILETYPE_PEM, ca_key), ca_key_path) # MAKE THE CA SELF-SIGNED CERTIFICATE cert = X509() sub = cert.get_subject() set_x509_ca(sub, vars=vars) #FORMAT : YYYYMMDDhhmmssZ after = '20200101000000Z' before = '20090101000000Z' cert.set_notAfter(after) cert.set_notBefore(before) cert.set_serial_number(1) cert.set_pubkey(ca_key) cert.set_issuer(cert.get_subject()) cert.sign(ca_key,"MD5") dump_write(dump_certificate(FILETYPE_PEM, cert), ca_crt_path) print "Generated CA certificate in %s" % ca_crt_path # MAKE THE SERVER CERTIFICATE s_key = PKey() s_key.generate_key(TYPE_RSA, 1024) dump_write(dump_privatekey(FILETYPE_PEM, s_key), server_key_path) s_cert = X509() s_sub = s_cert.get_subject() set_x509_serv(s_sub, vars=vars) #FORMAT : YYYYMMDDhhmmssZ after = '20200101000000Z' before = '20090101000000Z' s_cert.set_notAfter(after) s_cert.set_notBefore(before) s_cert.set_serial_number(2) s_cert.set_pubkey(s_key) s_cert.set_issuer(cert.get_subject()) s_cert.sign(ca_key,"MD5") dump_write(dump_certificate(FILETYPE_PEM, s_cert), server_crt_path) print "Generated Server certificate in %s" % server_crt_path for p in [ca_key_path, server_key_path]: os.chmod(p, 0600)
def gen_rsa_key(bits): """ Generate an RSA key and returns it in PEM format. :rtype: An RSA key as an `pyopenssl.OpenSSL.crypto.PKey` """ key = PKey() key.generate_key(TYPE_RSA, bits) return crypto.dump_privatekey(SSL.FILETYPE_PEM, key)
def test_use_privatekey(self): """ L{Context.use_privatekey} takes an L{OpenSSL.crypto.PKey} instance. """ key = PKey() key.generate_key(TYPE_RSA, 128) ctx = Context(TLSv1_METHOD) ctx.use_privatekey(key) self.assertRaises(TypeError, ctx.use_privatekey, "")
def generateKey(self,directory = "D:\\test",bits=1024): pk = PKey() pk.generate_key(TYPE_RSA, bits) with open (directory+'\pubkey.pem', mode='wb') as f: f.write(dump_publickey(FILETYPE_PEM, pk)) f.close() with open (directory+'\prikey.pem', mode='wb') as f: f.write(dump_privatekey(FILETYPE_PEM, pk)) f.close()
def generatePrivate(cert_name,password, _size = 2048): pk = PKey() pk.generate_key(TYPE_RSA, _size) pk_gen = pk.to_cryptography_key() _PEM = Encoding.PEM _TraditionalOpenSSL = PrivateFormat.TraditionalOpenSSL _encryption = BestAvailableEncryption(password) pvt = pk_gen.private_bytes(_PEM, _TraditionalOpenSSL, _encryption) return pk,pvt
def test_rsaGeneration(self): """ L{PKeyType.generate_key} generates an RSA key when passed L{TYPE_RSA} as a type and a reasonable number of bits. """ bits = 128 key = PKey() key.generate_key(TYPE_RSA, bits) self.assertEqual(key.type(), TYPE_RSA) self.assertEqual(key.bits(), bits)
def test_regeneration(self): """ L{PKeyType.generate_key} can be called multiple times on the same key to generate new keys. """ key = PKey() for type, bits in [(TYPE_RSA, 512), (TYPE_DSA, 576)]: key.generate_key(type, bits) self.assertEqual(key.type(), type) self.assertEqual(key.bits(), bits)
def gen_rsa(): """ Generate an RSA Key Pair for digital signature this is designed to be called once per user TODO maybe this belongs in server-specific code since server will need to know public and private keys """ pkey = PKey() pkey.generate_key(TYPE_RSA, RSA_BITS) pkey.check() return pkey
def test_signWithPublicKey(self): """ L{X509Req.sign} raises L{ValueError} when pass a L{PKey} with no private part as the signing key. """ request = self.signable() key = PKey() key.generate_key(TYPE_RSA, 512) request.set_pubkey(key) pub = request.get_pubkey() self.assertRaises(ValueError, request.sign, pub, 'MD5')
def createDGPairs(username): private_path = 'private/' public_path = 'public/' private_path += username public_path += username P = PKey() P.generate_key(TYPE_RSA, 1024) #写入 with open(public_path,'w') as f: f.write(dump_publickey(FILETYPE_PEM, P).decode('utf-8')) with open(private_path,'w') as f: f.write(dump_privatekey(FILETYPE_PEM, P).decode('utf-8'))
def createDGPairs(username): private_path = 'private/' public_path = 'public/' private_path += username public_path += username P = PKey() P.generate_key(TYPE_RSA, 1024) #写入 with open(public_path, 'w') as f: f.write(dump_publickey(FILETYPE_PEM, P).decode('utf-8')) with open(private_path, 'w') as f: f.write(dump_privatekey(FILETYPE_PEM, P).decode('utf-8'))
def check_success(self): """ Call the method repeatedly such that it will return a PKey object. """ small = xrange(3) for i in xrange(self.iterations): key = PKey() key.generate_key(TYPE_DSA, 256) for i in small: cert = X509() cert.set_pubkey(key) for i in small: cert.get_pubkey()
def test_dsaGeneration(self): """ L{PKeyType.generate_key} generates a DSA key when passed L{TYPE_DSA} as a type and a reasonable number of bits. """ # 512 is a magic number. The DSS (Digital Signature Standard) # allows a minimum of 512 bits for DSA. DSA_generate_parameters # will silently promote any value below 512 to 512. bits = 512 key = PKey() key.generate_key(TYPE_DSA, bits) self.assertEqual(key.type(), TYPE_DSA) self.assertEqual(key.bits(), bits)
def create_session_cert(cacert, cakey, cn='localhost', serial=1): LOG.debug('Creating session certificate') key = PKey() key.generate_key(TYPE_RSA, 1024) cert = X509() cert.get_subject().CN = cn cert.set_serial_number(serial) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(365*24*60*60) cert.set_issuer(cacert.get_subject()) cert.set_pubkey(key) cert.sign(cakey, 'sha1') return cert, key
def make_certs_and_key(device_public_key: bytes): priv_key = PKey() priv_key.generate_key(TYPE_RSA, 2048) req = make_req(priv_key) cert = make_cert(req, priv_key) dev_key = load_publickey(PEM, convert_PKCS1_to_PKCS8_pubkey(device_public_key)) dev_key._only_public = False dev_req = make_req(dev_key, 'Device') dev_cert = make_cert(dev_req, priv_key) return dump_certificate(PEM, cert), dump_privatekey( PEM, priv_key), dump_certificate(PEM, dev_cert)
def test(request): pk = PKey() pk.generate_key(TYPE_RSA, 512) pri_key = dump_privatekey(FILETYPE_PEM, pk) # 生成私钥 pub_key = dump_publickey(FILETYPE_PEM, pk) # 生成公钥 dic = {} dic["pri_key"] = pri_key.decode() dic["pub_key"] = pub_key.decode() print(type(pri_key)) print(dic) return HttpResponse(json.dumps(dic, ensure_ascii=False), content_type="application/json") # 返回公私钥
def generate_key(): pk = PKey() pk.generate_key(TYPE_RSA, 2048) # 生成公钥文件 public_key = dump_publickey(FILETYPE_PEM, pk) public_key_path = os.path.join(os.path.dirname(__file__), 'public_key.pem') file_public_key = open(public_key_path, 'wb') file_public_key.write(public_key) file_public_key.close() # 生成私钥文件 private_key = dump_privatekey(FILETYPE_PEM, pk) private_key_path = os.path.join(os.path.dirname(__file__), 'private_key.pem') file_private_key = open(private_key_path, 'wb') file_private_key.write(private_key) file_private_key.close()
def makeCertificate(**kw): keypair = PKey() keypair.generate_key(TYPE_RSA, 1024) certificate = X509() certificate.gmtime_adj_notBefore(0) certificate.gmtime_adj_notAfter(60 * 60 * 24 * 365) # One year for xname in certificate.get_issuer(), certificate.get_subject(): for (k, v) in kw.items(): setattr(xname, k, v) certificate.set_serial_number(counter()) certificate.set_pubkey(keypair) certificate.sign(keypair, "md5") return keypair, certificate
def makeCertificate(**kw): keypair = PKey() keypair.generate_key(TYPE_RSA, 512) certificate = X509() certificate.gmtime_adj_notBefore(0) certificate.gmtime_adj_notAfter(60 * 60 * 24 * 365) # One year for xname in certificate.get_issuer(), certificate.get_subject(): for (k, v) in kw.items(): setattr(xname, k, v) certificate.set_serial_number(counter()) certificate.set_pubkey(keypair) certificate.sign(keypair, "md5") return keypair, certificate
def create_self_signed_cacert(): LOG.debug('Creating CA certificate') cakey = PKey() cakey.generate_key(TYPE_RSA, 1024) cacert = X509() cacert.get_subject().CN = 'n3' cacert.set_serial_number(1) cacert.gmtime_adj_notBefore(0) cacert.gmtime_adj_notAfter(365*24*60*60) cacert.set_issuer(cacert.get_subject()) cacert.set_pubkey(cakey) cacert.add_extensions([ X509Extension(b'basicConstraints', True, b'CA:TRUE, pathlen:0'), X509Extension(b'keyUsage', True, b'keyCertSign, cRLSign'), X509Extension(b'subjectKeyIdentifier', False, b'hash', subject=cacert)]) cacert.sign(cakey, 'sha1') return cacert, cakey
def _create_self_signed_cert(self): key = None cert = None if exists(self._key_path): try: with open(self._key_path, 'r') as key_file: key = load_privatekey(FILETYPE_PEM, key_file.read()) except crypto_error: pass if exists(self._cert_path): try: with open(self._cert_path, 'r') as cert_file: cert = load_certificate(FILETYPE_PEM, cert_file.read()) except crypto_error: pass if key is None: key = PKey() key.generate_key(TYPE_RSA, 2048) if not exists(dirname(self._key_path)): makedirs(dirname(self._key_path)) with open(self._key_path, "w") as key_file: key_file.write( dump_privatekey(FILETYPE_PEM, key)) if cert is None: cert = X509() cert.get_subject().C = "US" cert.get_subject().ST = "California" cert.get_subject().L = "Palo Alto" cert.get_subject().O = "Juniper Networks" cert.get_subject().OU = "Contrail" cert.get_subject().CN = "Contrail's IF-MAP v2" cert.set_serial_number(1) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(10*365*24*60*60) # Ten years cert.set_issuer(cert.get_subject()) cert.set_pubkey(key) cert.sign(key, 'sha1') if not exists(dirname(self._cert_path)): makedirs(dirname(self._cert_path)) with open(self._cert_path, 'w') as cert_file: cert_file.write(dump_certificate(FILETYPE_PEM, cert))
def _create_self_signed_cert(self): key = None cert = None if exists(self._key_path): try: with open(self._key_path, "r") as key_file: key = load_privatekey(FILETYPE_PEM, key_file.read()) except crypto_error: pass if exists(self._cert_path): try: with open(self._cert_path, "r") as cert_file: cert = load_certificate(FILETYPE_PEM, cert_file.read()) except crypto_error: pass if key is None: key = PKey() key.generate_key(TYPE_RSA, 2048) if not exists(dirname(self._key_path)): makedirs(dirname(self._key_path)) with open(self._key_path, "w") as key_file: key_file.write(dump_privatekey(FILETYPE_PEM, key)) if cert is None: cert = X509() cert.get_subject().C = "US" cert.get_subject().ST = "California" cert.get_subject().L = "Palo Alto" cert.get_subject().O = "Juniper Networks" cert.get_subject().OU = "Contrail" cert.get_subject().CN = "Contrail's IF-MAP v2" cert.set_serial_number(1) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60) # Ten years cert.set_issuer(cert.get_subject()) cert.set_pubkey(key) cert.sign(key, "sha1") if not exists(dirname(self._cert_path)): makedirs(dirname(self._cert_path)) with open(self._cert_path, "w") as cert_file: cert_file.write(dump_certificate(FILETYPE_PEM, cert))
def create_csr(store, dn_cn, hostcert, sans = None, dn_ou = CS_DEF_RA_OU, dn_l = CS_DEF_RA_L, dn_o = CS_DEF_CA_O, dn_c = CS_DEF_CA_C, email = CS_DEF_EMAIL, keybits = CS_DEF_KEYBITS, ): """ Create a CSR PEM string for the given parameters. """ if not store.get_state() == CS_Const.Nothing: raise Exception("Certificate in wrong state to create new CSR.") # Generate a key key = PKey() key.generate_key(crypto.TYPE_RSA, keybits) # Generate a CSR csr = X509Req() csr.set_pubkey(key) dn = csr.get_subject() dn.CN = dn_cn dn.OU = dn_ou dn.L = dn_l dn.O = dn_o dn.C = dn_c # Create the relevant extension if hostcert: ext_details = ["DNS:%s" % dn_cn] else: ext_details = ["email:%s" % email] if sans: ext_details.extend(sans) ext = X509Extension("subjectAltName", False, ','.join(ext_details)) csr.add_extensions([ext]) csr.sign(key, "md5") # Convert the CSR & KEY to PEM files key_pem = crypto.dump_privatekey(crypto.FILETYPE_PEM, key) csr_pem = crypto.dump_certificate_request(crypto.FILETYPE_PEM, csr) # Write them out to the store store.write(CS_Const.KEY_FILE, key_pem, CS_DEF_KEYPERMS) store.write(CS_Const.CSR_FILE, csr_pem, CS_DEF_CSRPERMS) # Just to be 100% sure everything is compabile... # ... Ensure the key is in PKCS#1 format CS_CertTools.pkcs8_to_pkcs1(store.get_path(CS_Const.KEY_FILE))
def get_user_id(private_key, cert_path): if os.path.exists(private_key): with open(private_key) as fd: key = load_privatekey(FILETYPE_PEM, fd.read()) if key.bits() != 1024: os.unlink(private_key) else: user_id = get_service_id(private_key) if not os.path.exists(private_key): if os.path.exists(cert_path): os.unlink(cert_path) folder = os.path.dirname(private_key) if not os.path.exists(folder): os.makedirs(folder) os.chmod(folder, 0o700) key = PKey() key.generate_key(TYPE_RSA, 1024) with open(private_key, 'wb') as fd: os.chmod(private_key, 0o600) fd.write(dump_privatekey(FILETYPE_PEM, key)) os.chmod(private_key, 0o400) user_id = get_service_id(private_key) if not os.path.exists(cert_path): ca = X509() ca.set_version(2) ca.set_serial_number(1) ca.get_subject().CN = user_id ca.gmtime_adj_notBefore(0) ca.gmtime_adj_notAfter(24 * 60 * 60) ca.set_issuer(ca.get_subject()) ca.set_pubkey(key) ca.add_extensions([ X509Extension(b"basicConstraints", True, b"CA:TRUE, pathlen:0"), X509Extension(b"nsCertType", True, b"sslCA"), X509Extension( b"extendedKeyUsage", True, b"serverAuth,clientAuth,emailProtection,timeStamping,msCodeInd,msCodeCom,msCTLSign,msSGC,msEFS,nsSGC" ), X509Extension(b"keyUsage", False, b"keyCertSign, cRLSign"), X509Extension(b"subjectKeyIdentifier", False, b"hash", subject=ca), ]) ca.sign(key, "sha256") with open(cert_path, 'wb') as fd: fd.write(dump_certificate(FILETYPE_PEM, ca)) return user_id
def create_csr_key(subject): key = PKey() key.generate_key(TYPE_RSA, 2048) req = X509Req() req.get_subject().CN = subject['CN'] req.get_subject().O = subject['O'] # noqa: E741 req.get_subject().OU = subject['OU'] req.get_subject().L = subject['L'] req.get_subject().ST = subject['ST'] req.get_subject().C = subject['C'] req.set_pubkey(key) req.sign(key, 'sha256') csr = dump_certificate_request(FILETYPE_PEM, req) privatekey = dump_privatekey(FILETYPE_PEM, key).decode('utf-8') return csr, privatekey
def get_user_id(private_key, cert_path): if os.path.exists(private_key): with open(private_key) as fd: key = load_privatekey(FILETYPE_PEM, fd.read()) if key.bits() != 1024: os.unlink(private_key) else: user_id = get_service_id(private_key) if not os.path.exists(private_key): if os.path.exists(cert_path): os.unlink(cert_path) folder = os.path.dirname(private_key) if not os.path.exists(folder): os.makedirs(folder) os.chmod(folder, 0o700) key = PKey() key.generate_key(TYPE_RSA, 1024) with open(private_key, 'wb') as fd: os.chmod(private_key, 0o600) fd.write(dump_privatekey(FILETYPE_PEM, key)) os.chmod(private_key, 0o400) user_id = get_service_id(private_key) if not os.path.exists(cert_path): ca = X509() ca.set_version(2) ca.set_serial_number(1) ca.get_subject().CN = user_id ca.gmtime_adj_notBefore(0) ca.gmtime_adj_notAfter(24 * 60 * 60) ca.set_issuer(ca.get_subject()) ca.set_pubkey(key) ca.add_extensions([ X509Extension(b"basicConstraints", True, b"CA:TRUE, pathlen:0"), X509Extension(b"nsCertType", True, b"sslCA"), X509Extension(b"extendedKeyUsage", True, b"serverAuth,clientAuth,emailProtection,timeStamping,msCodeInd,msCodeCom,msCTLSign,msSGC,msEFS,nsSGC"), X509Extension(b"keyUsage", False, b"keyCertSign, cRLSign"), X509Extension(b"subjectKeyIdentifier", False, b"hash", subject=ca), ]) ca.sign(key, "sha256") with open(cert_path, 'wb') as fd: fd.write(dump_certificate(FILETYPE_PEM, ca)) return user_id
def create_self_signed_cert(cert_file_path): private_key_path = re.sub(r".(pem|crt)$", ".key", cert_file_path, flags=re.IGNORECASE) # create public/private key key = PKey() key.generate_key(TYPE_RSA, 2048) # Self-signed cert cert = X509() #subject = X509Name(cert.get_subject()) subject = cert.get_subject() subject.CN = 'localhost' subject.O = 'XYZ Widgets Inc' subject.OU = 'IT Department' subject.L = 'Seattle' subject.ST = 'Washington' subject.C = 'US' subject.emailAddress = '*****@*****.**' cert.set_version(2) cert.set_issuer(subject) cert.set_subject(subject) #cert.set_serial_number(int(os.urandom(16).encode('hex'),16)) cert.set_serial_number(int(rand.bytes(16).encode('hex'), 16)) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(31536000) cert.set_pubkey(key) cert.add_extensions([ X509Extension("basicConstraints", True, "CA:TRUE, pathlen:0"), X509Extension("keyUsage", True, "keyCertSign, cRLSign"), X509Extension("subjectKeyIdentifier", False, "hash", subject=cert), ]) cert.sign(key, 'sha256') with open(cert_file_path, 'wb+') as f: f.write(dump_certificate(FILETYPE_PEM, cert)) with open(private_key_path, 'wb+') as f: f.write(dump_privatekey(FILETYPE_PEM, key))
def _create_pkey(self, commonname, serial): """ Generate a key pair and store it in the private key directory The key file will be named from the common name """ pkey = PKey() pkey.generate_key(crypto.TYPE_RSA, self.key_bits) private = crypto.dump_privatekey(crypto.FILETYPE_PEM, pkey).decode() key_path = self._get_key_path(commonname, serial) if os.path.exists(key_path): raise FileExistsError(key_path) with open(key_path, 'w') as private_file: private_file.writelines(private) key_link = self._get_key_link(commonname) if os.path.exists(key_link): os.unlink(key_link) os.symlink(os.path.basename(key_path), key_link) return pkey
def make_certs_and_key(device_public_key: bytes): """ 1. create private key 2. create certificate """ device_key = load_publickey( PEM, convert_PKCS1_to_PKCS8_pubkey(device_public_key)) device_key._only_public = False # root key root_key = PKey() root_key.generate_key(TYPE_RSA, 2048) host_req = make_req(root_key) host_cert = make_cert(host_req, root_key) device_req = make_req(device_key, 'Device') device_cert = make_cert(device_req, root_key) return dump_certificate(PEM, host_cert), dump_privatekey( PEM, root_key), dump_certificate(PEM, device_cert)
def generate_ca_cert(path, common_name): if os.path.exists(path): print("Cert already exists at %s, not regenerating" % path) return # Generate key key = PKey() key.generate_key(TYPE_RSA, 2048) # Generate certificate cert = X509() cert.set_version(3) cert.set_serial_number(1) cert.get_subject().CN = common_name cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(315360000) cert.set_issuer(cert.get_subject()) cert.set_pubkey(key) cert.sign(key, "sha256") with open(path, 'wb+') as f: f.write(dump_privatekey(FILETYPE_PEM, key)) f.write(dump_certificate(FILETYPE_PEM, cert))
def otherMakeCertificate(**kw): keypair = PKey() keypair.generate_key(TYPE_RSA, 1024) req = X509Req() subj = req.get_subject() for (k, v) in kw.items(): setattr(subj, k, v) req.set_pubkey(keypair) req.sign(keypair, "md5") cert = X509() cert.set_serial_number(counter()) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(60 * 60 * 24 * 365) # One year cert.set_issuer(req.get_subject()) cert.set_subject(req.get_subject()) cert.set_pubkey(req.get_pubkey()) cert.sign(keypair, "md5") return keypair, cert
class CertificateAuthority(object): def __init__(self, ca_file='ca.pem', cache_dir=gettempdir()): ''' The constructor for making a certificate authority file ''' self.ca_file = ca_file self.cache_dir = cache_dir self._serial = self._get_serial() if not path.exists(ca_file): self._generate_ca() else: self.readCertificateAuthorityFile(ca_file) def _get_serial(self): ''' Makes sure that every certificate is associated with an unique serial number ''' s = 1 for c in filter(lambda x: x.startswith('.pymp_'), listdir(self.cache_dir)): c = load_certificate(FILETYPE_PEM, open(path.sep.join([self.cache_dir, c])).read()) sc = c.get_serial_number() if sc > s: s = sc del c return s def _generate_ca(self): ''' This function generates the certificate authority file ''' # Generate key self.key = PKey() self.key.generate_key(TYPE_RSA, 2048) # Generate certificate self.cert = X509() self.cert.set_version(3) self.cert.set_serial_number(1) self.cert.get_subject().CN = 'ca.mitm.com' self.cert.gmtime_adj_notBefore(0) self.cert.gmtime_adj_notAfter(315360000) self.cert.set_issuer(self.cert.get_subject()) self.cert.set_pubkey(self.key) self.cert.add_extensions([ X509Extension("basicConstraints", True, "CA:TRUE, pathlen:0"), X509Extension("keyUsage", True, "keyCertSign, cRLSign"), X509Extension("subjectKeyIdentifier", False, "hash", subject=self.cert), ]) self.cert.sign(self.key, "sha1") with open(self.ca_file, 'wb+') as f: f.write(dump_privatekey(FILETYPE_PEM, self.key)) f.write(dump_certificate(FILETYPE_PEM, self.cert)) def readCertificateAuthorityFile(self, file): ''' Reads a CA file assuming it is already present and configured ''' self.cert = load_certificate(FILETYPE_PEM, open(file).read()) self.key = load_privatekey(FILETYPE_PEM, open(file).read()) def __getitem__(self, cn): ''' Gets the specified Certificate authority file if it already exists, else creates one! ''' cnp = path.sep.join([self.cache_dir, '.pymp_%s.pem' % cn]) if not path.exists(cnp): # create certificate key = PKey() key.generate_key(TYPE_RSA, 2048) # Generate CSR req = X509Req() req.get_subject().CN = cn req.set_pubkey(key) req.sign(key, 'sha1') # Sign CSR cert = X509() cert.set_subject(req.get_subject()) cert.set_serial_number(self.serial) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(31536000) cert.set_issuer(self.cert.get_subject()) cert.set_pubkey(req.get_pubkey()) cert.sign(self.key, 'sha1') with open(cnp, 'wb+') as f: f.write(dump_privatekey(FILETYPE_PEM, key)) f.write(dump_certificate(FILETYPE_PEM, cert)) return cnp @property def serial(self): ''' A static function which generates a unique serial number for every certificate ''' self._serial += 1 return self._serial
class CAAuth(object): ''' 用于CA证书的生成以及代理证书的自签名 ''' def __init__(self,ca_file = "ca.pem", cert_file = 'ca.crt'): self.ca_file_path = os.path.join(os.path.dirname(os.path.abspath(__file__)),ca_file) self.cert_file_path = os.path.join(os.path.dirname(os.path.abspath(__file__)), cert_file) self._gen_ca()#生成CA证书,需要添加到浏览器的合法证书机构中 def _gen_ca(self,again=False): # Generate key #如果证书存在而且不是强制生成,直接返回证书信息 if os.path.exists(self.ca_file_path) and os.path.exists(self.cert_file_path) and not again: self._read_ca(self.ca_file_path) #读取证书信息 return self.key = PKey() self.key.generate_key(TYPE_RSA, 2048) # Generate certificate self.cert = X509() self.cert.set_version(2) self.cert.set_serial_number(1) self.cert.get_subject().CN = 'baseproxy' self.cert.gmtime_adj_notBefore(0) self.cert.gmtime_adj_notAfter(315360000) self.cert.set_issuer(self.cert.get_subject()) self.cert.set_pubkey(self.key) self.cert.add_extensions([ X509Extension(b"basicConstraints", True, b"CA:TRUE, pathlen:0"), X509Extension(b"keyUsage", True, b"keyCertSign, cRLSign"), X509Extension(b"subjectKeyIdentifier", False, b"hash", subject=self.cert), ]) self.cert.sign(self.key, "sha256") with open(self.ca_file_path, 'wb+') as f: f.write(dump_privatekey(FILETYPE_PEM, self.key)) f.write(dump_certificate(FILETYPE_PEM, self.cert)) with open(self.cert_file_path, 'wb+') as f: f.write(dump_certificate(FILETYPE_PEM, self.cert)) def _read_ca(self, file): self.cert = load_certificate(FILETYPE_PEM, open(file,'rb').read()) self.key = load_privatekey(FILETYPE_PEM, open(file,'rb').read()) def __getitem__(self, cn): #将为每个域名生成的服务器证书,放到临时目录中 cache_dir =gettempdir() root_dir = os.path.join(cache_dir,'baseproxy') if not os.path.exists(root_dir): os.makedirs(root_dir) cnp = os.path.join(root_dir,"baseproxy_{}.pem".format(cn)) if not os.path.exists(cnp): self._sign_ca(cn,cnp) return cnp def _sign_ca(self,cn,cnp): #使用合法的CA证书为代理程序生成服务器证书 # create certificate try: key = PKey() key.generate_key(TYPE_RSA, 2048) # Generate CSR req = X509Req() req.get_subject().CN = cn req.set_pubkey(key) req.sign(key, 'sha256') # Sign CSR cert = X509() cert.set_version(2) cert.set_subject(req.get_subject()) cert.set_serial_number(self.serial) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(31536000) cert.set_issuer(self.cert.get_subject()) ss = ("DNS:%s" % cn).encode(encoding="utf-8") cert.add_extensions( [X509Extension(b"subjectAltName", False, ss)]) cert.set_pubkey(req.get_pubkey()) cert.sign(self.key, 'sha256') with open(cnp, 'wb+') as f: f.write(dump_privatekey(FILETYPE_PEM, key)) f.write(dump_certificate(FILETYPE_PEM, cert)) except Exception as e: raise Exception("generate CA fail:{}".format(str(e))) @property def serial(self): return int("%d" % (time.time() * 1000))
# See LICENSE for details. # # Stress tester for thread-related bugs in global_passphrase_callback in # src/ssl/context.c. In 0.7 and earlier, this will somewhat reliably # segfault or abort after a few dozen to a few thousand iterations on an SMP # machine (generally not on a UP machine) due to uses of Python/C API # without holding the GIL. from itertools import count from threading import Thread from OpenSSL.SSL import Context, TLSv1_METHOD from OpenSSL.crypto import TYPE_RSA, FILETYPE_PEM, PKey, dump_privatekey k = PKey() k.generate_key(TYPE_RSA, 128) file('pkey.pem', 'w').write(dump_privatekey(FILETYPE_PEM, k, "blowfish", "foobar")) count = count() def go(): def cb(a, b, c): print count.next() return "foobar" c = Context(TLSv1_METHOD) c.set_passwd_cb(cb) while 1: c.use_privatekey_file('pkey.pem') threads = [Thread(target=go, args=()) for i in xrange(2)] for th in threads: th.start()
def generate_rsa(): keys = [] for i in range(100): key = PKey() key.generate_key(TYPE_RSA, 1024) keys.append(key)
def generate_dsa(): keys = [] for i in range(100): key = PKey() key.generate_key(TYPE_DSA, 512) keys.append(key)
class CertificateAuthority(object): def __init__(self, ca_file='ca.pem', cache_dir=gettempdir()): self.ca_file = ca_file self.cache_dir = cache_dir self._serial = self._get_serial() if not path.exists(ca_file): self._generate_ca() else: self._read_ca(ca_file) def _get_serial(self): s = 1 for c in filter(lambda x: x.startswith('.pymp_'), listdir(self.cache_dir)): c = load_certificate(FILETYPE_PEM, open(path.sep.join([self.cache_dir, c])).read()) sc = c.get_serial_number() if sc > s: s = sc del c return s def _generate_ca(self): # Generate key self.key = PKey() self.key.generate_key(TYPE_RSA, 2048) # Generate certificate self.cert = X509() self.cert.set_version(3) self.cert.set_serial_number(1) self.cert.get_subject().CN = 'ca.mitm.com' self.cert.gmtime_adj_notBefore(0) self.cert.gmtime_adj_notAfter(315360000) self.cert.set_issuer(self.cert.get_subject()) self.cert.set_pubkey(self.key) self.cert.add_extensions([ X509Extension("basicConstraints", True, "CA:TRUE, pathlen:0"), X509Extension("keyUsage", True, "keyCertSign, cRLSign"), X509Extension("subjectKeyIdentifier", False, "hash", subject=self.cert), ]) self.cert.sign(self.key, "sha1") with open(self.ca_file, 'wb+') as f: f.write(dump_privatekey(FILETYPE_PEM, self.key)) f.write(dump_certificate(FILETYPE_PEM, self.cert)) def _read_ca(self, file): self.cert = load_certificate(FILETYPE_PEM, open(file).read()) self.key = load_privatekey(FILETYPE_PEM, open(file).read()) def __getitem__(self, cn): cnp = path.sep.join([self.cache_dir, '.pymp_%s.pem' % cn]) if not path.exists(cnp): # create certificate key = PKey() key.generate_key(TYPE_RSA, 2048) # Generate CSR req = X509Req() req.get_subject().CN = cn req.set_pubkey(key) req.sign(key, 'sha1') # Sign CSR cert = X509() cert.set_subject(req.get_subject()) cert.set_serial_number(self.serial) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(31536000) cert.set_issuer(self.cert.get_subject()) cert.set_pubkey(req.get_pubkey()) cert.sign(self.key, 'sha1') with open(cnp, 'wb+') as f: f.write(dump_privatekey(FILETYPE_PEM, key)) f.write(dump_certificate(FILETYPE_PEM, cert)) return cnp @property def serial(self): self._serial += 1 return self._serial