def new_certificate_request(conf, key, password, country = '', state = '', locality = '', \
organisation = '', organisation_unit = '', common_name = '', email = ''):
key_file = tools.new_temp_file(key, conf.root_dir)
subj = '/C=%s'%(country) if len(country) != 0 else ''
subj = subj + '/ST=%s'%(state) if len(state) != 0 else subj
subj = subj + '/L=%s'%(locality) if len(locality) != 0 else subj
subj = subj + '/O=%s'%(organisation) if len(organisation) != 0 else subj
subj = subj + '/OU=%s'%(organisation_unit) if len(organisation_unit) != 0 else subj
subj = subj + '/CN=%s'%(common_name) if len(common_name) != 0 else subj
subj = subj + '/emailAddress=%s'%(email) if len(email) != 0 else subj
cmd = tools.Cmd([conf.openssl, 'req', '-new', '-subj', subj, \
'-key', key_file, '-passin', 'pass:%s'%(password)])
try:
out,ret = cmd.start()
except:
tools.delete_file(key_file)
raise OpenSSLError("Cannot create new request")
tools.delete_file(key_file)
if ret != 0:
raise OpenSSLError("OpenSSL return: cannot create new request")
return out
def rsadecrypt(conf, data, key, password):
k = tools.new_temp_file(key)
cmd = tools.Cmd([conf.openssl, 'rsautl', '-decrypt', '-inkey', k, '-passin', 'pass:%s'%(password)])
try:
out, ret = cmd.start(stdin=data)
except:
tools.delete_file(k)
raise OpenSSLError("Cannot decrypt data with RSA")
tools.delete_file(k)
if ret != 0:
raise OpenSSLError("OpenSSL return: cannot decrypt data with RSA")
return out.rstrip('\n')
def selfsign_certificate_request(conf, CA, request, key, password):
key_file = tools.new_temp_file(key, conf.root_dir)
serial = hexlify(urandom(8))
if CA is True:
ext_file = tools.new_temp_file(\
'[%s]\nbasicConstraints=critical,CA:TRUE,pathlen:%d\nkeyUsage=%s'\
%(X509_EXTNAME, conf.ca_path_len, conf.ca_key_usage), conf.root_dir)
cert_days = conf.ca_cert_days
else:
ext_file = tools.new_temp_file('[%s]\nbasicConstraints=critical,CA:FALSE\nkeyUsage=%s\nextendedkeyUsage=%s'\
%(X509_EXTNAME, conf.key_usage, conf.extended_key_usage), conf.root_dir)
cert_days = conf.cert_days
cmd = tools.Cmd([conf.openssl, 'x509', '-req', '-passin', 'pass:%s'%(password), \
'-signkey', key_file, '-days', str(cert_days), '-%s'%(conf.cert_hash), \
'-set_serial', '0x%s'%(serial), '-extfile', ext_file, '-extensions', X509_EXTNAME])
try:
out,ret = cmd.start(stdin=request)
except:
tools.delete_file(key_file)
tools.delete_file(ext_file)
raise OpenSSLError("Cannot self sign certificate from request")
tools.delete_file(key_file)
tools.delete_file(ext_file)
if ret != 0:
raise OpenSSLError("OpenSSL return: cannot self sign certificate from request")
return out
def rsaencrypt(conf, data, cert):
kc = tools.new_temp_file(cert)
cmd = tools.Cmd([conf.openssl, 'rsautl', '-encrypt', '-certin', '-inkey', kc])
try:
out, ret = cmd.start(stdin=data)
except:
tools.delete_file(kc)
raise OpenSSLError("Cannot encrypt data with RSA")
tools.delete_file(kc)
if ret != 0:
raise OpenSSLError("OpenSSL return: cannot encrypt data with RSA")
return out.rstrip('\n')
def new_rsa_key(conf, password):
if password is None:
return False, 'Password is Empty'
rand_file = tools.new_temp_file(urandom(conf.private_key_size*2), conf.root_dir)
if rand_file is None:
return False, 'Cannot initialize random file'
cmd = tools.Cmd([conf.openssl, 'genrsa', '-f4', '-rand', rand_file,\
'-%s'%(conf.private_key_cipher), '-passout', 'pass:%s'%(password), str(conf.private_key_size)])
out, ret = cmd.start()
if ret != 0:
tools.delete_file(rand_file)
raise OpenSSLError("OpenSSL return: cannot create RSA key")
tools.delete_file(rand_file)
return out
def get_pkcs12(conf, user, cert, key, keypass, cacert, password):
key_file = tools.new_temp_file(key, conf.root_dir)
cert_file = tools.new_temp_file(cert, conf.root_dir)
cacert_file = tools.new_temp_file(cacert, conf.root_dir)
cmd = tools.Cmd([conf.openssl, 'pkcs12', '-export', '-inkey', key_file, \
'-in', cert_file, '-certfile', cacert_file, '-passin',\
'pass:%s'%(keypass),'-passout', 'pass:%s'%(password), \
'-name', '%s certificate'%(user)])
try:
out,ret = cmd.start()
except:
tools.delete_file(key_file)
tools.delete_file(cert_file)
tools.delete_file(cacert_file)
raise OpenSSLError("Cannot export PKCS#12 certificate for %s"%(user))
tools.delete_file(key_file)
tools.delete_file(cert_file)
tools.delete_file(cacert_file)
if ret != 0:
raise OpenSSLError("OpenSSL return: Cannot export PKCS#12 certificate for %s"%(user))
return out