def generate_certificate(self, domain, save_model):
"""This function takes a domain name as a parameter and then creates
a certificate and key with the domain name (replacing dots
by underscores), finally signing the certificate using specified CA and
returns the path of key and cert files. If you are yet to generate a CA
then check the top comments"""
logger.info("SimpleCA: certificate creation request %s" % (domain,))
ca_private_key = asymmetric.load_private_key(
self.ca_key,
password=settings.CA_KEY_PASSWD)
ca_certificate = asymmetric.load_certificate(self.ca_crt)
end_entity_public_key, end_entity_private_key = \
asymmetric.generate_pair('rsa', bit_size=2048)
builder = CertificateBuilder(
{
'country_name': 'CR',
'state_or_province_name': 'San Jose',
'locality_name': 'Costa Rica',
'organization_name': save_model.name,
"organizational_unit_name": save_model.institution_unit,
'common_name': domain,
},
end_entity_public_key
)
now = timezone.now()
builder.issuer = ca_certificate
builder.begin_date = now
builder.end_date = now+timedelta(settings.CA_CERT_DURATION)
builder.key_usage = set(['digital_signature'])
end_entity_certificate = builder.build(ca_private_key)
# settings.CA_CERT_DURATION
server_public_key, server_private_key = \
asymmetric.generate_pair('rsa', bit_size=2048)
save_model.private_key = asymmetric.dump_private_key(
end_entity_private_key, None)
save_model.public_key = asymmetric.dump_public_key(
end_entity_public_key)
save_model.public_certificate = pem_armor_certificate(
end_entity_certificate)
save_model.server_sign_key = asymmetric.dump_private_key(
server_private_key, None)
save_model.server_public_key = asymmetric.dump_public_key(
server_public_key)
logger.debug("SimpleCA: New certificate for %s is %r" %
(domain, save_model.public_certificate))
return save_model
def create_certificate():
root_ca_public_key, root_ca_private_key = asymmetric.generate_pair(
'rsa', bit_size=2048)
with open('root_ca.key', 'wb') as f:
f.write(asymmetric.dump_private_key(root_ca_private_key, u'p'))
with open('root_ca_public.key', 'wb') as f:
f.write(asymmetric.dump_public_key(root_ca_public_key, 'pem'))
builder = CertificateBuilder(
{
u'country_name': u'US',
u'state_or_province_name': u'Massachusetts',
u'locality_name': u'Amherst',
u'organization_name': u'Name Certifying service',
u'common_name': u'NCS Root CA',
}, root_ca_public_key)
builder.self_signed = True
builder.ca = True
root_ca_certificate = builder.build(root_ca_private_key)
with open('root_ca.crt', 'wb') as f:
f.write(pem_armor_certificate(root_ca_certificate))
# Generate an end-entity key and certificate, signed by the root
end_entity_public_key, end_entity_private_key = asymmetric.generate_pair(
'rsa', bit_size=2048)
with open('ramteja_tadishetti_private.key', 'wb') as f:
f.write(asymmetric.dump_private_key(end_entity_private_key, u'p'))
with open('ramteja_tadishetti_public.key', 'wb') as f:
f.write(asymmetric.dump_public_key(end_entity_public_key, 'pem'))
builder = CertificateBuilder(
{
u'country_name': u'US',
u'state_or_province_name': u'Massachusetts',
u'locality_name': u'Amherst',
u'organization_name': u'Ramteja Tadishetti Corp',
u'common_name': u'ramtejatadishetti',
}, end_entity_public_key)
builder.issuer = root_ca_certificate
#builder.set_extension( u'1.2.840.113549.1.1.1', 'ramteja', allow_deprecated=False)
end_entity_certificate = builder.build(root_ca_private_key)
with open('ramteja_tadishetti.crt', 'wb') as f:
f.write(pem_armor_certificate(end_entity_certificate))
def test_dump_public(self):
public = asymmetric.load_public_key(
os.path.join(fixtures_dir, 'keys/test.crt'))
pem_serialized = asymmetric.dump_public_key(public)
public_reloaded = asymmetric.load_public_key(pem_serialized)
self.assertIsInstance(public_reloaded, asymmetric.PublicKey)
self.assertEqual('rsa', public_reloaded.algorithm)
def generate_certificate(self, domain, save_model):
logger.info("Dogtag: certificate creation request %s" % (domain,))
public_key, private_key = asymmetric.generate_pair(
'rsa', bit_size=2048)
data = {
'common_name': domain,
'organization_name': save_model.name,
'organizational_unit_name': save_model.institution_unit,
'email_address': save_model.email
}
data.update(settings.DOGTAG_CERTIFICATE_SCHEME)
builder = CSRBuilder(
data,
public_key
)
#builder.subject_alt_domains = ['codexns.io', 'codexns.com']
request = builder.build(private_key)
inputs = {
"cert_request_type": "pkcs10",
"cert_request": pem_armor_csr(request).decode(),
"requestor_name": settings.DOGTAG_CERT_REQUESTER,
"requestor_email": settings.DOGTAG_CERT_REQUESTER_EMAIL,
}
logger.debug("Dogtag: request certificate %r" % (inputs,))
conn = self.get_connection()
cert_client = pki.cert.CertClient(conn)
certificates = cert_client.enroll_cert("caServerCert", inputs)
server_public_key, server_private_key = \
asymmetric.generate_pair('rsa', bit_size=2048)
save_model.private_key = asymmetric.dump_private_key(private_key, None)
save_model.public_key = asymmetric.dump_public_key(public_key)
save_model.public_certificate = certificates[0].cert.encoded.encode()
save_model.server_sign_key = asymmetric.dump_private_key(
server_private_key, None)
save_model.server_public_key = asymmetric.dump_public_key(
server_public_key)
logger.debug("Dogtag: New certificate for %s is %r" %
(domain, save_model.public_certificate))
return save_model
def pubkey_xml_to_pem(xml):
der = pubkey_xml_to_der(xml)
b64 = b64encode(der).decode("ascii")
pem = "\n".join([
"-----BEGIN PUBLIC KEY-----", *re.findall(r".{1,64}", b64),
"-----END PUBLIC KEY-----"
])
# load and dump as both a form of validation and normalization
pem = pem.encode("ascii")
bpem = dump_public_key(load_public_key(pem), encoding="pem")
return bpem.decode("ascii")
def generate_pair(name, quiet=False, key_type='rsa', key_size=2048):
if not quiet:
write('Generating {} keys ... '.format(name), end='')
public_key, private_key = asymmetric.generate_pair(key_type, bit_size=key_size)
with open(path.join(certs_dir, '{}.key'.format(name)), 'wb') as f:
f.write(asymmetric.dump_private_key(private_key, None))
with open(path.join(certs_dir, '{}.pubkey'.format(name)), 'wb') as f:
f.write(asymmetric.dump_public_key(public_key))
if not quiet:
write('done')
def test_ec_generate(self):
public, private = asymmetric.generate_pair('ec', curve='secp256r1')
self.assertEqual('ec', public.algorithm)
self.assertEqual('secp256r1', public.asn1.curve[1])
original_data = b'This is data to sign'
signature = asymmetric.ecdsa_sign(private, original_data, 'sha1')
self.assertIsInstance(signature, byte_cls)
asymmetric.ecdsa_verify(public, signature, original_data, 'sha1')
raw_public = asymmetric.dump_public_key(public)
asymmetric.load_public_key(raw_public)
raw_private = asymmetric.dump_private_key(private, None)
asymmetric.load_private_key(raw_private, None)
def test_dsa_generate(self):
public, private = asymmetric.generate_pair('dsa', bit_size=1024)
self.assertEqual('dsa', public.algorithm)
self.assertEqual(1024, public.bit_size)
original_data = b'This is data to sign'
signature = asymmetric.dsa_sign(private, original_data, 'sha1')
self.assertIsInstance(signature, byte_cls)
asymmetric.dsa_verify(public, signature, original_data, 'sha1')
raw_public = asymmetric.dump_public_key(public)
asymmetric.load_public_key(raw_public)
raw_private = asymmetric.dump_private_key(private, None)
asymmetric.load_private_key(raw_private, None)
def test_dsa_generate(self):
public, private = asymmetric.generate_pair('dsa', bit_size=1024)
self.assertEqual('dsa', public.algorithm)
self.assertEqual(1024, public.bit_size)
original_data = b'This is data to sign'
signature = asymmetric.dsa_sign(private, original_data, 'sha1')
self.assertIsInstance(signature, byte_cls)
asymmetric.dsa_verify(public, signature, original_data, 'sha1')
raw_public = asymmetric.dump_public_key(public)
asymmetric.load_public_key(raw_public)
raw_private = asymmetric.dump_private_key(private, None)
asymmetric.load_private_key(raw_private, None)
def test_ec_generate(self):
public, private = asymmetric.generate_pair('ec', curve='secp256r1')
self.assertEqual('ec', public.algorithm)
self.assertEqual('secp256r1', public.asn1.curve[1])
original_data = b'This is data to sign'
signature = asymmetric.ecdsa_sign(private, original_data, 'sha1')
self.assertIsInstance(signature, byte_cls)
asymmetric.ecdsa_verify(public, signature, original_data, 'sha1')
raw_public = asymmetric.dump_public_key(public)
asymmetric.load_public_key(raw_public)
raw_private = asymmetric.dump_private_key(private, None)
asymmetric.load_private_key(raw_private, None)
def generate_pair(name, quiet=False, key_type='rsa', key_size=2048):
if not quiet:
write('Generating {} keys ... '.format(name), end='')
public_key, private_key = asymmetric.generate_pair(key_type,
bit_size=key_size)
with open(path.join(certs_dir, '{}.key'.format(name)), 'wb') as f:
f.write(asymmetric.dump_private_key(private_key, None))
with open(path.join(certs_dir, '{}.pubkey'.format(name)), 'wb') as f:
f.write(asymmetric.dump_public_key(public_key))
if not quiet:
write('done')
def test_rsa_generate(self):
public, private = asymmetric.generate_pair('rsa', bit_size=2048)
self.assertEqual('rsa', public.algorithm)
self.assertEqual(2048, public.bit_size)
original_data = b'This is data to sign'
signature = asymmetric.rsa_pkcs1v15_sign(private, original_data,
'sha1')
self.assertIsInstance(signature, byte_cls)
asymmetric.rsa_pkcs1v15_verify(public, signature, original_data,
'sha1')
raw_public = asymmetric.dump_public_key(public)
asymmetric.load_public_key(raw_public)
raw_private = asymmetric.dump_private_key(private, None)
asymmetric.load_private_key(raw_private, None)
self.assertIsInstance(private.fingerprint, byte_cls)
self.assertIsInstance(public.fingerprint, byte_cls)
self.assertEqual(private.fingerprint, public.fingerprint)
def create_certificate():
root_ca_public_key, root_ca_private_key = asymmetric.generate_pair(
'rsa', bit_size=2048)
with open('root_ca.key', 'wb') as f:
f.write(asymmetric.dump_private_key(root_ca_private_key, u'p'))
with open('root_ca_public.key', 'wb') as f:
f.write(asymmetric.dump_public_key(root_ca_public_key, 'pem'))
builder = CertificateBuilder(
{
u'country_name': u'US',
u'state_or_province_name': u'Massachusetts',
u'locality_name': u'Amherst',
u'organization_name': u'Name Certifying service',
u'common_name': u'NCS Root CA',
}, root_ca_public_key)
builder.self_signed = True
builder.ca = True
root_ca_certificate = builder.build(root_ca_private_key)
with open('root_ca.crt', 'wb') as f:
f.write(pem_armor_certificate(root_ca_certificate))
if os.path.isfile(pubkey_filename):
print(
pubkey_filename +
" already exists, move it somewhere else. I don't want to overwrite any keys."
)
elif os.path.isfile(privkey_filename):
print(
privkey_filename +
" already exists, move it somewhere else. I don't want to overwrite any keys."
)
else:
print("Generating Key Pair")
pub, priv = asym.generate_pair("rsa", bit_size=2048)
pub_f = open(pubkey_filename, 'wb')
priv_f = open(privkey_filename, 'wb')
pub_f.write(asym.dump_public_key(pub, "pem"))
priv_f.write(asym.dump_private_key(priv, u'salt', "pem"))
pub_f.close()
priv_f.close()
elif command == "sign":
if len(sys.argv) < 3:
print(help_text)
else:
url = sys.argv[2]
if not os.path.isfile(privkey_filename):
print(privkey_filename +
" does not exist, run the make_key command.")
else:
f = open(privkey_filename, 'rb')
privkey = f.read()
f.close()
#!/usr/bin/env python3
from oscrypto import asymmetric
pub, priv = asymmetric.generate_pair('rsa', 2048)
with open('./secrets/packagecontrol.io.key', 'wb') as f:
f.write(asymmetric.dump_openssl_private_key(priv, None))
with open('./secrets/packagecontrol.io.pub', 'wb') as f:
f.write(asymmetric.dump_public_key(pub))
def test_dump_public(self):
public = asymmetric.load_public_key(os.path.join(fixtures_dir, 'keys/test.crt'))
pem_serialized = asymmetric.dump_public_key(public)
public_reloaded = asymmetric.load_public_key(pem_serialized)
self.assertIsInstance(public_reloaded, asymmetric.PublicKey)
self.assertEqual('rsa', public_reloaded.algorithm)
def to_pem(self):
return asymmetric.dump_public_key(self._public_key, encoding='pem')
def to_der(self):
return asymmetric.dump_public_key(self._public_key, encoding='der')
def _dump_public(key):
return asymmetric.dump_public_key(key)
