def certidude_setup_authority(parent, country, state, locality, organization, organizational_unit, common_name, directory, crl_age, lifetime, pkcs11, group, crl_distribution_url, ocsp_responder_url, email_address, inbox, outbox): logging.info("Creating certificate authority in %s", directory) _, _, uid, gid, gecos, root, shell = pwd.getpwnam(group) os.setgid(gid) click.echo("Generating 4096-bit RSA key...") if pkcs11: raise NotImplementedError("Hardware token support not yet implemented!") else: key = crypto.PKey() key.generate_key(crypto.TYPE_RSA, 4096) slug = os.path.basename(directory) if not crl_distribution_url: crl_distribution_url = "http://%s/api/%s/revoked/" % (common_name, slug) # File paths ca_key = os.path.join(directory, "ca_key.pem") ca_crt = os.path.join(directory, "ca_crt.pem") ca_crl = os.path.join(directory, "ca_crl.pem") crl_distribution_points = "URI:%s" % crl_distribution_url ca = crypto.X509() #ca.set_version(3) # breaks gcr-viewer?! ca.set_serial_number(1) ca.get_subject().CN = common_name ca.get_subject().C = country ca.get_subject().ST = state ca.get_subject().L = locality ca.get_subject().O = organization ca.get_subject().OU = organizational_unit ca.gmtime_adj_notBefore(0) ca.gmtime_adj_notAfter(lifetime * 24 * 60 * 60) ca.set_issuer(ca.get_subject()) ca.set_pubkey(key) ca.add_extensions([ crypto.X509Extension( b"basicConstraints", True, b"CA:TRUE"), crypto.X509Extension( b"keyUsage", True, b"keyCertSign, cRLSign"), crypto.X509Extension( b"subjectKeyIdentifier", False, b"hash", subject = ca), crypto.X509Extension( b"crlDistributionPoints", False, crl_distribution_points.encode("ascii")) ]) if email_address: subject_alt_name = "email:%s" % email_address ca.add_extensions([ crypto.X509Extension( b"subjectAltName", False, subject_alt_name.encode("ascii")) ]) if not ocsp_responder_url: ocsp_responder_url = "http://%s/api/%s/ocsp/" % (common_name, slug) authority_info_access = "OCSP;URI:%s" % ocsp_responder_url ca.add_extensions([ crypto.X509Extension( b"authorityInfoAccess", False, authority_info_access.encode("ascii")) ]) click.echo("Signing %s..." % subject2dn(ca.get_subject())) # openssl x509 -in ca_crt.pem -outform DER | sha1sum # openssl x509 -fingerprint -in ca_crt.pem ca.sign(key, "sha1") os.umask(0o027) if not os.path.exists(directory): os.makedirs(directory) os.umask(0o007) for subdir in ("signed", "requests", "revoked"): if not os.path.exists(os.path.join(directory, subdir)): os.mkdir(os.path.join(directory, subdir)) with open(ca_crl, "wb") as fh: crl = crypto.CRL() fh.write(crl.export(ca, key, days=crl_age)) with open(os.path.join(directory, "serial"), "w") as fh: fh.write("1") os.umask(0o027) with open(ca_crt, "wb") as fh: fh.write(crypto.dump_certificate(crypto.FILETYPE_PEM, ca)) os.umask(0o077) with open(ca_key, "wb") as fh: fh.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, key)) click.echo("Insert following to /etc/ssl/openssl.cnf:") click.echo() click.secho(env.get_template("openssl.cnf").render(locals()), fg="blue") click.echo() click.echo("Use following commands to inspect the newly created files:") click.echo() click.echo(" openssl crl -inform PEM -text -noout -in %s" % ca_crl) click.echo(" openssl x509 -text -noout -in %s" % ca_crt) click.echo(" openssl rsa -check -in %s" % ca_key) click.echo(" openssl verify -CAfile %s %s" % (ca_crt, ca_crt)) click.echo() click.echo("Use following to launch privilege isolated signer processes:") click.echo() click.echo(" certidude spawn") click.echo() click.echo("Use following command to serve CA read-only:") click.echo() click.echo(" certidude serve")
def certidude_setup_authority(parent, country, state, locality, organization, organizational_unit, common_name, directory, certificate_lifetime, authority_lifetime, revocation_list_lifetime, pkcs11, crl_distribution_url, ocsp_responder_url, email_address, inbox, outbox): slug = os.path.basename(directory[:-1] if directory.endswith('/') else directory) if not slug: raise click.ClickException("Please supply proper target path") # Make sure slug is valid if not re.match(r"^[_a-zA-Z0-9]+$", slug): raise click.ClickException("CA name can contain only alphanumeric and '_' characters") if os.path.lexists(directory): raise click.ClickException("Output directory {} already exists.".format(directory)) click.echo("CA configuration files are saved to: {}".format(directory)) click.echo("Generating 4096-bit RSA key...") if pkcs11: raise NotImplementedError("Hardware token support not yet implemented!") else: key = crypto.PKey() key.generate_key(crypto.TYPE_RSA, 4096) if not crl_distribution_url: crl_distribution_url = "http://%s/api/%s/revoked/" % (common_name, slug) # File paths ca_key = os.path.join(directory, "ca_key.pem") ca_crt = os.path.join(directory, "ca_crt.pem") ca_crl = os.path.join(directory, "ca_crl.pem") crl_distribution_points = "URI:%s" % crl_distribution_url ca = crypto.X509() ca.set_version(2) # This corresponds to X.509v3 ca.set_serial_number(1) ca.get_subject().CN = common_name ca.get_subject().C = country ca.get_subject().ST = state ca.get_subject().L = locality ca.get_subject().O = organization ca.get_subject().OU = organizational_unit ca.gmtime_adj_notBefore(0) ca.gmtime_adj_notAfter(authority_lifetime * 24 * 60 * 60) ca.set_issuer(ca.get_subject()) ca.set_pubkey(key) ca.add_extensions([ crypto.X509Extension( b"basicConstraints", True, b"CA:TRUE"), crypto.X509Extension( b"keyUsage", True, b"keyCertSign, cRLSign"), crypto.X509Extension( b"subjectKeyIdentifier", False, b"hash", subject = ca), crypto.X509Extension( b"crlDistributionPoints", False, crl_distribution_points.encode("ascii")) ]) if email_address: subject_alt_name = "email:%s" % email_address ca.add_extensions([ crypto.X509Extension( b"subjectAltName", False, subject_alt_name.encode("ascii")) ]) if ocsp_responder_url: raise NotImplementedError() """ ocsp_responder_url = "http://%s/api/%s/ocsp/" % (common_name, slug) authority_info_access = "OCSP;URI:%s" % ocsp_responder_url ca.add_extensions([ crypto.X509Extension( b"authorityInfoAccess", False, authority_info_access.encode("ascii")) ]) """ click.echo("Signing %s..." % subject2dn(ca.get_subject())) # openssl x509 -in ca_crt.pem -outform DER | sha256sum # openssl x509 -fingerprint -in ca_crt.pem ca.sign(key, "sha256") os.umask(0o027) if not os.path.exists(directory): os.makedirs(directory) os.umask(0o007) for subdir in ("signed", "requests", "revoked"): if not os.path.exists(os.path.join(directory, subdir)): os.mkdir(os.path.join(directory, subdir)) with open(ca_crl, "wb") as fh: crl = crypto.CRL() fh.write(crl.export(ca, key, days=revocation_list_lifetime)) with open(os.path.join(directory, "serial"), "w") as fh: fh.write("1") os.umask(0o027) with open(ca_crt, "wb") as fh: fh.write(crypto.dump_certificate(crypto.FILETYPE_PEM, ca)) os.umask(0o077) with open(ca_key, "wb") as fh: fh.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, key)) with open(os.path.join(directory, "openssl.cnf.example"), "w") as fh: fh.write(env.get_template("openssl.cnf").render(locals())) click.echo("You need to copy the contents of the 'openssl.cnf.example'") click.echo("to system-wide OpenSSL configuration file, usually located") click.echo("at /etc/ssl/openssl.cnf") click.echo() click.echo("Use following commands to inspect the newly created files:") click.echo() click.echo(" openssl crl -inform PEM -text -noout -in %s" % ca_crl) click.echo(" openssl x509 -text -noout -in %s" % ca_crt) click.echo(" openssl rsa -check -in %s" % ca_key) click.echo(" openssl verify -CAfile %s %s" % (ca_crt, ca_crt)) click.echo() click.echo("Use following to launch privilege isolated signer processes:") click.echo() click.echo(" certidude spawn") click.echo() click.echo("Use following command to serve CA read-only:") click.echo() click.echo(" certidude serve")
def certidude_setup_authority(parent, country, state, locality, organization, organizational_unit, common_name, directory, certificate_lifetime, authority_lifetime, revocation_list_lifetime, pkcs11, crl_distribution_url, ocsp_responder_url, email_address, inbox, outbox): slug = os.path.basename( directory[:-1] if directory.endswith('/') else directory) if not slug: raise click.ClickException("Please supply proper target path") # Make sure slug is valid if not re.match(r"^[_a-zA-Z0-9]+$", slug): raise click.ClickException( "CA name can contain only alphanumeric and '_' characters") if os.path.lexists(directory): raise click.ClickException( "Output directory {} already exists.".format(directory)) click.echo("CA configuration files are saved to: {}".format(directory)) click.echo("Generating 4096-bit RSA key...") if pkcs11: raise NotImplementedError( "Hardware token support not yet implemented!") else: key = crypto.PKey() key.generate_key(crypto.TYPE_RSA, 4096) if not crl_distribution_url: crl_distribution_url = "http://%s/api/%s/revoked/" % (common_name, slug) # File paths ca_key = os.path.join(directory, "ca_key.pem") ca_crt = os.path.join(directory, "ca_crt.pem") ca_crl = os.path.join(directory, "ca_crl.pem") crl_distribution_points = "URI:%s" % crl_distribution_url ca = crypto.X509() ca.set_version(2) # This corresponds to X.509v3 ca.set_serial_number(1) ca.get_subject().CN = common_name ca.get_subject().C = country ca.get_subject().ST = state ca.get_subject().L = locality ca.get_subject().O = organization ca.get_subject().OU = organizational_unit ca.gmtime_adj_notBefore(0) ca.gmtime_adj_notAfter(authority_lifetime * 24 * 60 * 60) ca.set_issuer(ca.get_subject()) ca.set_pubkey(key) ca.add_extensions([ crypto.X509Extension(b"basicConstraints", True, b"CA:TRUE"), crypto.X509Extension(b"keyUsage", True, b"keyCertSign, cRLSign"), crypto.X509Extension(b"subjectKeyIdentifier", False, b"hash", subject=ca), crypto.X509Extension(b"crlDistributionPoints", False, crl_distribution_points.encode("ascii")) ]) if email_address: subject_alt_name = "email:%s" % email_address ca.add_extensions([ crypto.X509Extension(b"subjectAltName", False, subject_alt_name.encode("ascii")) ]) if ocsp_responder_url: raise NotImplementedError() """ ocsp_responder_url = "http://%s/api/%s/ocsp/" % (common_name, slug) authority_info_access = "OCSP;URI:%s" % ocsp_responder_url ca.add_extensions([ crypto.X509Extension( b"authorityInfoAccess", False, authority_info_access.encode("ascii")) ]) """ click.echo("Signing %s..." % subject2dn(ca.get_subject())) # openssl x509 -in ca_crt.pem -outform DER | sha256sum # openssl x509 -fingerprint -in ca_crt.pem ca.sign(key, "sha256") os.umask(0o027) if not os.path.exists(directory): os.makedirs(directory) os.umask(0o007) for subdir in ("signed", "requests", "revoked"): if not os.path.exists(os.path.join(directory, subdir)): os.mkdir(os.path.join(directory, subdir)) with open(ca_crl, "wb") as fh: crl = crypto.CRL() fh.write(crl.export(ca, key, days=revocation_list_lifetime)) with open(os.path.join(directory, "serial"), "w") as fh: fh.write("1") os.umask(0o027) with open(ca_crt, "wb") as fh: fh.write(crypto.dump_certificate(crypto.FILETYPE_PEM, ca)) os.umask(0o077) with open(ca_key, "wb") as fh: fh.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, key)) with open(os.path.join(directory, "openssl.cnf.example"), "w") as fh: fh.write(env.get_template("openssl.cnf").render(locals())) click.echo("You need to copy the contents of the 'openssl.cnf.example'") click.echo("to system-wide OpenSSL configuration file, usually located") click.echo("at /etc/ssl/openssl.cnf") click.echo() click.echo("Use following commands to inspect the newly created files:") click.echo() click.echo(" openssl crl -inform PEM -text -noout -in %s" % ca_crl) click.echo(" openssl x509 -text -noout -in %s" % ca_crt) click.echo(" openssl rsa -check -in %s" % ca_key) click.echo(" openssl verify -CAfile %s %s" % (ca_crt, ca_crt)) click.echo() click.echo("Use following to launch privilege isolated signer processes:") click.echo() click.echo(" certidude spawn") click.echo() click.echo("Use following command to serve CA read-only:") click.echo() click.echo(" certidude serve")
def certidude_setup_authority(parent, country, state, locality, organization, organizational_unit, common_name, directory, crl_age, lifetime, pkcs11, group, crl_distribution_url, ocsp_responder_url, email_address, inbox, outbox): logging.info("Creating certificate authority in %s", directory) _, _, uid, gid, gecos, root, shell = pwd.getpwnam(group) os.setgid(gid) click.echo("Generating 4096-bit RSA key...") if pkcs11: raise NotImplementedError( "Hardware token support not yet implemented!") else: key = crypto.PKey() key.generate_key(crypto.TYPE_RSA, 4096) slug = os.path.basename(directory) if not crl_distribution_url: crl_distribution_url = "http://%s/api/%s/revoked/" % (common_name, slug) # File paths ca_key = os.path.join(directory, "ca_key.pem") ca_crt = os.path.join(directory, "ca_crt.pem") ca_crl = os.path.join(directory, "ca_crl.pem") crl_distribution_points = "URI:%s" % crl_distribution_url ca = crypto.X509() #ca.set_version(3) # breaks gcr-viewer?! ca.set_serial_number(1) ca.get_subject().CN = common_name ca.get_subject().C = country ca.get_subject().ST = state ca.get_subject().L = locality ca.get_subject().O = organization ca.get_subject().OU = organizational_unit ca.gmtime_adj_notBefore(0) ca.gmtime_adj_notAfter(lifetime * 24 * 60 * 60) ca.set_issuer(ca.get_subject()) ca.set_pubkey(key) ca.add_extensions([ crypto.X509Extension(b"basicConstraints", True, b"CA:TRUE"), crypto.X509Extension(b"keyUsage", True, b"keyCertSign, cRLSign"), crypto.X509Extension(b"subjectKeyIdentifier", False, b"hash", subject=ca), crypto.X509Extension(b"crlDistributionPoints", False, crl_distribution_points.encode("ascii")) ]) if email_address: subject_alt_name = "email:%s" % email_address ca.add_extensions([ crypto.X509Extension(b"subjectAltName", False, subject_alt_name.encode("ascii")) ]) if not ocsp_responder_url: ocsp_responder_url = "http://%s/api/%s/ocsp/" % (common_name, slug) authority_info_access = "OCSP;URI:%s" % ocsp_responder_url ca.add_extensions([ crypto.X509Extension(b"authorityInfoAccess", False, authority_info_access.encode("ascii")) ]) click.echo("Signing %s..." % subject2dn(ca.get_subject())) # openssl x509 -in ca_crt.pem -outform DER | sha1sum # openssl x509 -fingerprint -in ca_crt.pem ca.sign(key, "sha1") os.umask(0o027) if not os.path.exists(directory): os.makedirs(directory) os.umask(0o007) for subdir in ("signed", "requests", "revoked"): if not os.path.exists(os.path.join(directory, subdir)): os.mkdir(os.path.join(directory, subdir)) with open(ca_crl, "wb") as fh: crl = crypto.CRL() fh.write(crl.export(ca, key, days=crl_age)) with open(os.path.join(directory, "serial"), "w") as fh: fh.write("1") os.umask(0o027) with open(ca_crt, "wb") as fh: fh.write(crypto.dump_certificate(crypto.FILETYPE_PEM, ca)) os.umask(0o077) with open(ca_key, "wb") as fh: fh.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, key)) click.echo("Insert following to /etc/ssl/openssl.cnf:") click.echo() click.secho(env.get_template("openssl.cnf").render(locals()), fg="blue") click.echo() click.echo("Use following commands to inspect the newly created files:") click.echo() click.echo(" openssl crl -inform PEM -text -noout -in %s" % ca_crl) click.echo(" openssl x509 -text -noout -in %s" % ca_crt) click.echo(" openssl rsa -check -in %s" % ca_key) click.echo(" openssl verify -CAfile %s %s" % (ca_crt, ca_crt)) click.echo() click.echo("Use following to launch privilege isolated signer processes:") click.echo() click.echo(" certidude spawn") click.echo() click.echo("Use following command to serve CA read-only:") click.echo() click.echo(" certidude serve")