def generate_host_cert(host,
root_cert,
root_key,
host_filename,
wildcard=False):
# Generate key
key = crypto.PKey()
key.generate_key(crypto.TYPE_RSA, 2048)
# Generate CSR
req = crypto.X509Req()
req.get_subject().CN = host
req.set_pubkey(key)
req.sign(key, 'sha1')
# Generate Cert
cert = CertificateAuthority._make_cert(host)
cert.set_issuer(root_cert.get_subject())
cert.set_pubkey(req.get_pubkey())
if wildcard:
DNS = 'DNS:'
alt_hosts = [DNS + host, DNS + '*.' + host]
alt_hosts = ', '.join(alt_hosts)
cert.add_extensions(
[crypto.X509Extension('subjectAltName', False, alt_hosts)])
cert.sign(root_key, 'sha1')
# Write cert + key
CertificateAuthority.write_pem(host_filename, cert, key)
return cert, key
def create_self_signed_cert(hostname, cert_path, pkey_path):
"""Generate a certificate and private key, and returns the public key as str."""
# create a key pair
k = crypto.PKey()
k.generate_key(crypto.TYPE_RSA, 2048)
# create a self-signed cert
cert = crypto.X509()
cert.get_subject().C = "BR"
cert.get_subject().ST = "Sao Paulo"
cert.get_subject().L = "Campinas"
cert.get_subject().O = hostname
cert.get_subject().OU = hostname
cert.set_serial_number(1000)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60)
cert.set_issuer(cert.get_subject())
if re.compile(r"[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}").match(hostname):
alt_name = "IP:" + hostname
else:
alt_name = "DNS:" + hostname
cert.add_extensions(
[crypto.X509Extension(b"subjectAltName", False, alt_name.encode())]
)
cert.set_pubkey(k)
cert.sign(k, "sha512")
with open(cert_path, "wb") as f:
f.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
with open(pkey_path, "wb") as f:
f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, k))
return
def create_certificate(certfile, pkeyfile):
rootpem = open("CERT/root.crt", "rb").read()
rootkey = open("CERT/root.key", "rb").read()
ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM, rootpem)
ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, rootkey)
pkey = crypto.PKey()
pkey.generate_key(crypto.TYPE_RSA, 2048)
cert = crypto.X509()
cert.set_serial_number(int(random.random() * sys.maxsize))
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(60 * 60 * 24 * 365)
cert.set_version(2)
subject = cert.get_subject()
subject.CN = "Accesser_Proxy"
subject.O = "Accesser"
cert.add_extensions(
[crypto.X509Extension(b"subjectAltName", False, parse_domain())])
cert.set_issuer(ca_cert.get_subject())
cert.set_pubkey(pkey)
cert.sign(ca_key, "sha256")
with open(certfile, "wb") as certfile:
certfile.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
certfile.close()
with open(pkeyfile, "wb") as pkeyfile:
pkeyfile.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, pkey))
pkeyfile.close()
def gen_ss_cert(key, domains, ips, extensions):
cert = crypto.X509()
cert.set_serial_number(int(binascii.hexlify(os.urandom(16)), 16))
cert.set_version(2)
extensions.append(crypto.X509Extension(b"basicConstraints", True, b"CA:TRUE, pathlen:0"))
cert.set_issuer(cert.get_subject())
sans = []
sans.extend([b"DNS:" + d.encode() for d in domains])
sans.extend([b"IP:" + d.encode() for d in ips])
extensions.append(crypto.X509Extension(b"subjectAltName", critical=False, value=b", ".join(sans)))
cert.add_extensions(extensions)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(24 * 60 * 60)
cert.set_pubkey(key)
cert.sign(key, "sha256")
return cert
def _validate_key_usage(self):
found = False
for extension_idx in range(
0, self.existing_certificate.get_extension_count()):
extension = self.existing_certificate.get_extension(extension_idx)
if extension.get_short_name() == b'keyUsage':
found = True
expected_extension = crypto.X509Extension(
b"keyUsage", False, b', '.join(self.key_usage))
key_usage = [
usage.strip() for usage
in to_text(expected_extension,
errors='surrogate_or_strict').split(',')
]
current_ku = [
usage.strip() for usage in to_text(
extension, errors='surrogate_or_strict').split(',')
]
if not compare_sets(key_usage, current_ku,
self.key_usage_strict):
return self.key_usage, str(extension).split(', ')
if not found:
# This is only bad if the user specified a non-empty list
if self.key_usage:
return NO_EXTENSION
def __create_internal(self, data):
cert_info = get_cert_info_from_data(data)
data['type'] = CERT_TYPE_INTERNAL
signing_cert = self.middleware.call_sync(
'certificateauthority.query',
[('id', '=', data['signedby'])],
{'get': True}
)
public_key = generate_key(data['key_length'])
signkey = load_private_key(signing_cert['privatekey'])
cert = self.middleware.call_sync('certificate.create_certificate', cert_info)
cert.set_pubkey(public_key)
cacert = crypto.load_certificate(crypto.FILETYPE_PEM, signing_cert['certificate'])
cert.set_issuer(cacert.get_subject())
cert.add_extensions([
crypto.X509Extension(b"subjectKeyIdentifier", False, b"hash", subject=cert),
])
cert_serial = self.middleware.call_sync(
'certificateauthority.get_serial_for_certificate',
data['signedby']
)
cert.set_serial_number(cert_serial)
cert.sign(signkey, data['digest_algorithm'])
data['certificate'] = crypto.dump_certificate(crypto.FILETYPE_PEM, cert)
data['privatekey'] = crypto.dump_privatekey(crypto.FILETYPE_PEM, public_key)
data['serial'] = cert_serial
return data
def generate_adhoc_ssl_pair(cn=None, hosts=None):
from random import random
from OpenSSL import crypto
if cn is None:
cn = '*'
cert = crypto.X509()
cert.set_serial_number(int(random() * sys.maxsize))
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(60 * 60 * 24 * 365 * 10) # 10 years
subject = cert.get_subject()
subject.CN = cn
subject.O = 'Dummy Certificate' # noqa: E741
if hosts is not None:
hosts.append('localhost')
altNames = ", ".join(["DNS:{0}".format(host) for host in hosts])
cert.add_extensions([crypto.X509Extension(b"subjectAltName", False, altNames.encode())])
issuer = cert.get_issuer()
issuer.CN = subject.CN
issuer.O = subject.O # noqa: E741
pkey = crypto.PKey()
pkey.generate_key(crypto.TYPE_RSA, 2048)
cert.set_pubkey(pkey)
cert.sign(pkey, 'sha256')
return cert, pkey
def generate(self, module):
'''Generate the certificate signing request.'''
if not os.path.exists(self.path) or self.force:
req = crypto.X509Req()
req.set_version(self.version)
subject = req.get_subject()
for (key,value) in self.subject.items():
if value is not None:
setattr(subject, key, value)
if self.subjectAltName is not None:
req.add_extensions([crypto.X509Extension("subjectAltName", False, self.subjectAltName)])
privatekey_content = open(self.privatekey_path).read()
self.privatekey = crypto.load_privatekey(crypto.FILETYPE_PEM, privatekey_content)
req.set_pubkey(self.privatekey)
req.sign(self.privatekey, self.digest)
self.request = req
csr_file = open(self.path, 'w')
csr_file.write(crypto.dump_certificate_request(crypto.FILETYPE_PEM, self.request))
csr_file.close()
else:
self.changed = False
file_args = module.load_file_common_arguments(module.params)
if module.set_fs_attributes_if_different(file_args, False):
self.changed = True
def create_certificate_signing_request(cert_info):
key = generate_key(cert_info['key_length'])
req = crypto.X509Req()
req.get_subject().C = cert_info['country']
req.get_subject().ST = cert_info['state']
req.get_subject().L = cert_info['city']
req.get_subject().O = cert_info['organization']
cn_san_list = cert_info['san'].split() + cert_info['common'].split()
cn_san = ', '.join(cn_san_list)
req.get_subject().CN = cn_san
# first lets determine if an ip address was specified or
# a dns entry in the common name
default_san_type = 'DNS'
try:
ipaddress.ip_address(cert_info['common'])
default_san_type = 'IP'
except ValueError:
# This is raised if say we specified freenas.org in the Common name
pass
req.add_extensions([
crypto.X509Extension(
"subjectAltName".encode('utf-8'), False,
f"{default_san_type}:{cert_info['san']}".encode('utf-8'))
])
req.get_subject().emailAddress = cert_info['email']
req.set_pubkey(key)
sign_certificate(req, key, cert_info['digest_algorithm'])
return (req, key)
def createCertRequest(pkey, **name):
"""
Create a certificate request.
@param pkey: The key to associate with the request
@type pkey: crypto.PKey
@keyword name: The name of the subject of the request, possible
arguments are:
C - Country name
ST - State or province name
L - Locality name
O - Organization name (always forced to be "Calathi project")
OU - Organizational unit name
CN - Common name
emailAddress - E-mail address
@returns: The certificate request in an X509Req object
@rtype: crypto.X509Req
"""
req = crypto.X509Req()
subj = req.get_subject()
assert 'O' not in name, repr(name)
for (key, value) in name.iteritems():
setattr(subj, key, value)
setattr(subj, 'O', CERT_O)
x = crypto.X509Extension('subjectAltName',
True,
'otherName:1.2;UTF8:some other identifier')
req.add_extensions([x])
req.set_pubkey(pkey)
req.sign(pkey, OPENSSL_DIGEST)
return req
def CreateCert(name, signer=None, ocsp=False):
global NEXT_SERIAL
pkey = crypto.PKey()
pkey.generate_key(crypto.TYPE_RSA, 1024)
cert = crypto.X509()
cert.set_version(2)
cert.get_subject().CN = name
cert.set_pubkey(pkey)
cert.set_serial_number(NEXT_SERIAL)
NEXT_SERIAL += 1
cert.set_notBefore(CERT_DATE.strftime('%Y%m%d%H%M%SZ'))
cert.set_notAfter(CERT_EXPIRE.strftime('%Y%m%d%H%M%SZ'))
if ocsp:
cert.add_extensions(
[crypto.X509Extension('extendedKeyUsage', False, 'OCSPSigning')])
if signer:
cert.set_issuer(signer[1].get_subject())
cert.sign(signer[2], 'sha1')
else:
cert.set_issuer(cert.get_subject())
cert.sign(pkey, 'sha1')
asn1cert = decoder.decode(crypto.dump_certificate(crypto.FILETYPE_ASN1,
cert),
asn1Spec=rfc2459.Certificate())[0]
if not signer:
signer = [asn1cert]
return (asn1cert, cert, pkey, signer[0])
def createCertRequest(pkey, digest="sha256", **name):
"""
Create a certificate request.
Arguments: pkey - The key to associate with the request
digest - Digestion method to use for signing, default is sha256
**name - The name of the subject of the request, possible
arguments are:
C - Country name
ST - State or province name
L - Locality name
O - Organization name
OU - Organizational unit name
CN - Common name
emailAddress - E-mail address
Returns: The certificate request in an X509Req object
"""
req = crypto.X509Req()
subj = req.get_subject()
if 'extensions' in name:
extensions = []
for ext in name['extensions']:
extensions.append(crypto.X509Extension(ext[0], ext[1], ext[2]))
req.add_extensions(extensions)
del name['extensions']
for key, value in name.items():
setattr(subj, key, value)
req.set_pubkey(pkey)
req.sign(pkey, digest)
return req
def create_subcert(certfile, commonname, ip=False):
cert = crypto.X509()
cert.set_version(2)
cert.set_serial_number(
int((int(time() - sub_serial) + random.random()) *
100)) #setting the only number
subject = cert.get_subject()
subject.countryName = 'CN'
subject.stateOrProvinceName = 'Internet'
subject.localityName = 'Cernet'
subject.organizationalUnitName = '%s Branch' % ca_vendor
subject.commonName = commonname
subject.organizationName = commonname
#某些认证机制会检查签署时间与当前时间之差
cert.gmtime_adj_notBefore(sub_time_b)
cert.gmtime_adj_notAfter(sub_time_a)
cert.set_issuer(ca_subject)
cert.set_pubkey(sub_publickey)
if ip:
sans = 'IP: ' + commonname
else:
sans = 'DNS: %s, DNS: *.%s' % (commonname, commonname)
cert.add_extensions(
[crypto.X509Extension(b'subjectAltName', True, sans.encode())])
cert.sign(ca_privatekey, ca_digest)
with open(certfile, 'wb') as fp:
fp.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
def create_certificate_signing_request(self, cert_info):
cert_info['san'] = self.middleware.call_sync(
'certificate.san_to_string', cert_info.pop('san', []))
key = generate_key(cert_info['key_length'])
req = crypto.X509Req()
req.get_subject().C = cert_info['country']
req.get_subject().ST = cert_info['state']
req.get_subject().L = cert_info['city']
req.get_subject().O = cert_info['organization']
if cert_info.get('organizational_unit'):
req.get_subject().OU = cert_info['organizational_unit']
req.get_subject().CN = cert_info['common']
if cert_info['san']:
req.add_extensions([
crypto.X509Extension(b"subjectAltName", False,
cert_info['san'].encode())
])
req.get_subject().subjectAltName = cert_info['san']
req.get_subject().emailAddress = cert_info['email']
req.set_pubkey(key)
req.sign(key, cert_info['digest_algorithm'])
return (req, key)
def gen_cert(self,
domain: str,
key: Optional[crypto.PKey] = None,
bits: int = 2048) -> Tuple[crypto.X509, crypto.PKey]:
"""Generate tls-alpn-01 certificate.
:param str domain: Domain verified by the challenge.
:param OpenSSL.crypto.PKey key: Optional private key used in
certificate generation. If not provided (``None``), then
fresh key will be generated.
:param int bits: Number of bits for newly generated key.
:rtype: `tuple` of `OpenSSL.crypto.X509` and `OpenSSL.crypto.PKey`
"""
if key is None:
key = crypto.PKey()
key.generate_key(crypto.TYPE_RSA, bits)
der_value = b"DER:" + codecs.encode(self.h, 'hex')
acme_extension = crypto.X509Extension(self.ID_PE_ACME_IDENTIFIER_V1,
critical=True,
value=der_value)
return crypto_util.gen_ss_cert(key, [domain],
force_san=True,
extensions=[acme_extension]), key
def create_certificate(server_name):
rootpem = open(os.path.join(certpath, "root.crt"), "rb").read()
rootkey = open(os.path.join(certpath, "root.key"), "rb").read()
ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM, rootpem)
ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, rootkey)
cert = crypto.X509()
cert.set_serial_number(int(random.random() * sys.maxsize))
cert.gmtime_adj_notBefore(-600)
cert.gmtime_adj_notAfter(60 * 60 * 24 * 365)
cert.set_version(2)
subject = cert.get_subject()
subject.CN = "Accesser_Proxy"
subject.O = "Accesser"
cert.add_extensions([
crypto.X509Extension(b"subjectAltName", False,
('DNS:' + server_name + ',DNS:*.' +
server_name).encode())
])
cert.set_issuer(ca_cert.get_subject())
cert.set_pubkey(pkey)
cert.sign(ca_key, "sha256")
with open(os.path.join(certpath, '{}.crt'.format(server_name)),
"wb") as certfile:
certfile.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
certfile.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, pkey))
certfile.close()
def create_keypair(self):
LOG.debug('Generating Snakeoil CA')
key = crypto.PKey()
key.generate_key(crypto.TYPE_RSA, self.key_size)
cert = crypto.X509()
cert.set_version(self.x509_version)
cert.set_serial_number(self.serial)
subject = cert.get_subject()
set_subject_X509Name(subject, self.subject_dn)
cert.set_subject(subject)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(self.expiry_days)
cert.set_issuer(
set_subject_X509Name(cert.get_issuer(), self.signing_dn))
cert.set_pubkey(key)
cert.add_extensions([
crypto.X509Extension(b"basicConstraints", True,
b"CA:TRUE, pathlen:5"),
])
if not self.signing_key:
self.signing_key = key # self-signed
cert.sign(self.signing_key, 'sha256')
LOG.debug('Snakeoil CA cert/key generated')
chain = b''
if self.parent_chain_path:
with open(self.parent_chain_path, 'rb') as fh:
chain = fh.read()
chain += crypto.dump_certificate(crypto.FILETYPE_PEM, cert)
pkcs7 = self._generate_pkcs7(chain)
return cert, key, chain, pkcs7
def generate_test_cert(hostname='somehostname',
san_list=None,
expires=1000000):
""" Generates a test SSL certificate and returns the certificate data and private key data. """
# Based on: http://blog.richardknop.com/2012/08/create-a-self-signed-x509-certificate-in-python/
# Create a key pair.
k = crypto.PKey()
k.generate_key(crypto.TYPE_RSA, 1024)
# Create a self-signed cert.
cert = crypto.X509()
cert.get_subject().CN = hostname
# Add the subjectAltNames (if necessary).
if san_list is not None:
cert.add_extensions([
crypto.X509Extension("subjectAltName", False, ", ".join(san_list))
])
cert.set_serial_number(1000)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(expires)
cert.set_issuer(cert.get_subject())
cert.set_pubkey(k)
cert.sign(k, 'sha1')
# Dump the certificate and private key in PEM format.
cert_data = crypto.dump_certificate(crypto.FILETYPE_PEM, cert)
key_data = crypto.dump_privatekey(crypto.FILETYPE_PEM, k)
return (cert_data, key_data)
def create(cn,
issuer=None,
key=None,
keysize=2048,
digest="sha256",
notBefore="20150101000000+0000",
notAfter="20300101000000+0000",
additional_extensions=None):
if key is None:
key = crypto.PKey()
key.generate_key(crypto.TYPE_RSA, keysize)
cert = crypto.X509()
cert.set_pubkey(key)
cert.set_version(2)
cert.set_serial_number(random.randint(0, 2**20))
cert.set_notBefore(notBefore)
cert.set_notAfter(notAfter)
cert.get_subject().CN = cn
cert.set_issuer(cert.get_subject() if issuer is None else issuer.cert.
get_subject())
# Add the CA=True basic constraint
basicContraints = crypto.X509Extension("basicConstraints", True,
"CA:TRUE")
cert.add_extensions([basicContraints])
if additional_extensions is not None:
cert.add_extensions(additional_extensions)
signing_key = key if issuer is None else issuer.key
cert.sign(signing_key, digest)
return Certificate(cert, key)
def create_subcert(certfile, commonname, ip=False, sans=None):
sans = sans or []
cert = crypto.X509()
cert.set_version(2)
cert.set_serial_number(
int((int(time() - sub_serial) + random.random()) *
100)) #setting the only number
subject = cert.get_subject()
subject.countryName = 'CN'
subject.stateOrProvinceName = 'Internet'
subject.localityName = 'Cernet'
subject.organizationalUnitName = '%s Branch' % ca_vendor
subject.commonName = commonname
subject.organizationName = commonname
if ip:
sans = set([
commonname,
] + sans)
else:
sans = set([commonname, '*.' + commonname] + sans)
sans = ', '.join('DNS: %s' % x for x in sans)
if not isinstance(sans, bytes):
sans = sans.encode()
#某些认证机制会检查签署时间与当前时间之差
cert.gmtime_adj_notBefore(sub_time_b)
cert.gmtime_adj_notAfter(sub_time_a)
cert.set_issuer(ca_subject)
cert.set_pubkey(sub_key)
cert.add_extensions([crypto.X509Extension(b'subjectAltName', True, sans)])
cert.sign(ca_key, ca_digest)
with open(certfile, 'wb') as fp:
fp.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
def create_certificate(self, cert_info):
cert_info['san'] = self.middleware.call_sync(
'certificate.san_to_string',
cert_info.pop('san', [])
)
cert = crypto.X509()
cert.get_subject().C = cert_info['country']
cert.get_subject().ST = cert_info['state']
cert.get_subject().L = cert_info['city']
cert.get_subject().O = cert_info['organization']
cert.get_subject().CN = cert_info['common']
# Add subject alternate name in addition to CN
if cert_info['san']:
cert.add_extensions([crypto.X509Extension(
b"subjectAltName", False, cert_info['san'].encode()
)])
cert.get_subject().subjectAltName = cert_info['san']
cert.get_subject().emailAddress = cert_info['email']
serial = cert_info.get('serial')
if serial is not None:
cert.set_serial_number(serial)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(cert_info['lifetime'] * (60 * 60 * 24))
cert.set_issuer(cert.get_subject())
# Setting it to '2' actually results in a v3 cert
# openssl's cert x509 versions are zero-indexed!
# see: https://www.ietf.org/rfc/rfc3280.txt
cert.set_version(2)
return cert
def setup_atmcrypto(self):
atmkey = crypto.PKey()
atmkey.generate_key(crypto.TYPE_RSA, 2048)
certreq = crypto.X509Req()
certreq.get_subject().CN = "atm-machine.bank.example.com"
certreq.set_pubkey(atmkey)
certreq.sign(atmkey, "sha256")
atmcert = crypto.X509()
atmcert.set_subject(certreq.get_subject())
atmcert.set_serial_number(self._certauthoritynextserial)
atmcert.set_issuer(self._certauthority.get_subject())
atmcert.gmtime_adj_notBefore(0)
atmcert.gmtime_adj_notAfter(86400 * 365 * 3) # under CA's lifetime
atmcert.set_pubkey(certreq.get_pubkey())
atmcert.add_extensions([
crypto.X509Extension("basicConstraints", True, "CA:FALSE"),
crypto.X509ExtensionType("extendedKeyUsage", True, "clientAuth"),
])
atmcert.sign(self._certauthorityprivatekey, "sha256")
self._certauthoritynextserial = self._certauthoritynextserial + 1
if path.exists(self._common_utils.get_authfilename()):
self.error_exit('Auth file already exists (race check)')
outfile = file(self._common_utils.get_authfilename(), 'w')
outfile.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, atmkey))
outfile.write(crypto.dump_certificate(crypto.FILETYPE_PEM, atmcert))
outfile.write(
crypto.dump_certificate(crypto.FILETYPE_PEM, self._certauthority))
outfile.close()
def _create_verification_cert(cert_file, key_file, verification_file, nonce,
valid_days, serial_number):
if exists(cert_file) and exists(key_file):
# create a key pair
public_key = crypto.PKey()
public_key.generate_key(crypto.TYPE_RSA, 2046)
# open the root cert and key
signing_cert = crypto.load_certificate(crypto.FILETYPE_PEM,
open(cert_file).read())
k = crypto.load_privatekey(crypto.FILETYPE_PEM, open(key_file).read())
# create a cert signed by the root
verification_cert = crypto.X509()
verification_cert.get_subject().CN = nonce
verification_cert.gmtime_adj_notBefore(-1 * 24 * 60 * 60)
verification_cert.gmtime_adj_notAfter(valid_days * 24 * 60 * 60)
verification_cert.set_version(2)
verification_cert.set_serial_number(serial_number)
verification_cert.set_pubkey(public_key)
verification_cert.set_issuer(signing_cert.get_subject())
verification_cert.add_extensions([
crypto.X509Extension(b"authorityKeyIdentifier",
False,
b"keyid:always",
issuer=signing_cert)
])
verification_cert.sign(k, 'sha256')
verification_cert_str = crypto.dump_certificate(
crypto.FILETYPE_PEM, verification_cert).decode('ascii')
open(verification_file, 'w').write(verification_cert_str)
def create_root_ca():
pkey = crypto.PKey()
pkey.generate_key(crypto.TYPE_RSA, 4096)
cert = crypto.X509()
cert.set_version(2)
cert.set_serial_number(int(random.random() * sys.maxsize))
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(60 * 60 * 24 * 365 * 10)
subject = cert.get_subject()
subject.CN = "Accesser"
subject.O = "Accesser"
issuer = cert.get_issuer()
issuer.CN = "Accesser"
issuer.O = "Accesser"
cert.set_pubkey(pkey)
cert.add_extensions([
crypto.X509Extension(b"basicConstraints", True, b"CA:TRUE"),
crypto.X509Extension(b"subjectKeyIdentifier",
False,
b"hash",
subject=cert)
])
cert.add_extensions([
crypto.X509Extension(b"authorityKeyIdentifier",
False,
b"keyid:always",
issuer=cert)
])
cert.sign(pkey, "sha256")
with open(os.path.join(certpath, "root.crt"), "wb") as certfile:
certfile.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
certfile.close()
with open(os.path.join(certpath, "root.key"), "wb") as pkeyfile:
pkeyfile.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, pkey))
pkeyfile.close()
pfx = crypto.PKCS12Type()
pfx.set_privatekey(pkey)
pfx.set_certificate(cert)
with open(os.path.join(certpath, "root.pfx"), 'wb') as pfxfile:
pfxfile.write(pfx.export())
def create_csr(self):
"""Generates a cryptographic key-pair and a CSR"""
crypto_material_state = self._state_store.get_crypto_material_state()
self._LOG.info("Creating Certificate Signing Request")
pKey = self._generate_key()
self.version = crypto_material_state.get_version() + 1
# Create CSR
csr = crypto.X509Req()
csr.get_subject().C = "SE"
csr.get_subject().ST = "Sweden"
csr.get_subject().L = "Stockholm"
csr.get_subject().O = "Hopsworks"
csr.get_subject().OU = str(self.version)
# CN should be the hostname of the server
self.cn = self._getHostname()
self._LOG.debug("Hostname used in CN is {}".format(self.cn))
csr.get_subject().CN = self.cn
csr.set_pubkey(pKey)
### For kafka fix
base_constraints = ([
crypto.X509Extension(
"keyUsage", False,
"Digital Signature, Non Repudiation, Key Encipherment")
])
x509_extensions = base_constraints
# If there are SAN entries, append the base_constraints to include them.
san_constraint = crypto.X509Extension(
"subjectAltName", False, "DNS: %s" % self._config.hostname)
x509_extensions.append(san_constraint)
csr.add_extensions(x509_extensions)
### End Kafka
csr.sign(pKey, 'sha256')
self.csr_req = crypto.dump_certificate_request(crypto.FILETYPE_PEM,
csr)
self._private_key = crypto.dump_privatekey(crypto.FILETYPE_PEM, pKey)
cryptography_key = pKey.to_cryptography_key()
self._private_key_rsa = cryptography_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption())
self._LOG.debug("Finished CSR")
def _create_csr(self):
LOG.info('[%s] Generating CSR' % self.name)
req = crypto.X509Req()
LOG.debug('[%s] Attaching Certificate Version to CSR: %s' %
(self.name, self.version))
req.set_version(self.version)
subject = req.get_subject()
for (key, value) in self.subject.items():
if value is not None:
LOG.debug('[%s] Attaching %s to CSR: %s' %
(self.name, key, value))
setattr(subject, key, value)
LOG.info('[%s] Attaching SAN extention: %s' %
(self.name, self.subjectAltName))
try:
req.add_extensions([
crypto.X509Extension(bytes('subjectAltName', 'utf-8'), False,
bytes(self.subjectAltName, 'utf-8'))
])
except TypeError:
req.add_extensions([
crypto.X509Extension('subjectAltName', False,
self.subjectAltName)
])
LOG.debug('[%s] Loading private key: %s/private/%s.key' %
(self.name, self.path, self.name))
privatekey_content = open('%s/private/%s.key' %
(self.path, self.name)).read()
privatekey = crypto.load_privatekey(crypto.FILETYPE_PEM,
privatekey_content)
LOG.info('[%s] Signing CSR' % self.name)
req.set_pubkey(privatekey)
req.sign(privatekey, self.digest)
LOG.debug('[%s] Writting CSR: %s/csr/%s.csr' %
(self.name, self.path, self.name))
csr_file = open('%s/csr/%s.csr' % (self.path, self.name), 'w')
csr_file.write(
(crypto.dump_certificate_request(crypto.FILETYPE_PEM,
req)).decode('utf-8'))
csr_file.close()
def make_csr(private_key_pem, domains=None, must_staple=False, ipaddrs=None):
"""Generate a CSR containing domains or IPs as subjectAltNames.
:param buffer private_key_pem: Private key, in PEM PKCS#8 format.
:param list domains: List of DNS names to include in subjectAltNames of CSR.
:param bool must_staple: Whether to include the TLS Feature extension (aka
OCSP Must Staple: https://tools.ietf.org/html/rfc7633).
:param list ipaddrs: List of IPaddress(type ipaddress.IPv4Address or ipaddress.IPv6Address)
names to include in subbjectAltNames of CSR.
params ordered this way for backward competablity when called by positional argument.
:returns: buffer PEM-encoded Certificate Signing Request.
"""
private_key = crypto.load_privatekey(crypto.FILETYPE_PEM, private_key_pem)
csr = crypto.X509Req()
sanlist = []
# if domain or ip list not supplied make it empty list so it's easier to iterate
if domains is None:
domains = []
if ipaddrs is None:
ipaddrs = []
if len(domains) + len(ipaddrs) == 0:
raise ValueError(
"At least one of domains or ipaddrs parameter need to be not empty"
)
for address in domains:
sanlist.append('DNS:' + address)
for ips in ipaddrs:
sanlist.append('IP:' + ips.exploded)
# make sure its ascii encoded
san_string = ', '.join(sanlist).encode('ascii')
# for IP san it's actually need to be octet-string,
# but somewhere downsteam thankfully handle it for us
extensions = [
crypto.X509Extension(b'subjectAltName',
critical=False,
value=san_string),
]
if must_staple:
extensions.append(
crypto.X509Extension(b"1.3.6.1.5.5.7.1.24",
critical=False,
value=b"DER:30:03:02:01:05"))
csr.add_extensions(extensions)
csr.set_pubkey(private_key)
csr.set_version(2)
csr.sign(private_key, 'sha256')
return crypto.dump_certificate_request(crypto.FILETYPE_PEM, csr)
def sign_req(req, cacert, cakey):
# Validate Subject contents. Not necessary for CA gen, but kept anyhow
matching_template(req, cacert)
# Validate signature
req.verify(req.get_pubkey())
request_subject = components(req.get_subject())
cert = _crypto.X509()
subject = cert.get_subject()
cert.set_serial_number(int(uuid.uuid1()))
cert.set_version(VERSION)
for attrib in ATTRIBS_TO_KEEP:
if request_subject.get(attrib):
setattr(subject, attrib, request_subject[attrib])
issuer_subject = cert.get_subject()
cert.set_issuer(issuer_subject)
cert.set_pubkey(req.get_pubkey())
# Validity times
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(CA_LIFE())
cert.add_extensions(CA_EXTENSIONS)
cacert = cert
extension = _crypto.X509Extension(b"subjectKeyIdentifier",
critical=False,
value=b"hash",
subject=cert)
cert.add_extensions([extension])
# We need subjectKeyIdentifier to be added before we can add
# authorityKeyIdentifier.
extension = _crypto.X509Extension(
b"authorityKeyIdentifier",
critical=False,
value=b"issuer:always,keyid:always",
issuer=cacert,
)
cert.add_extensions([extension])
cert.sign(cakey, "sha512")
return cert
def generate_public_key(self,
json,
root_key=None,
root_ca=None,
ca_id=None):
# Generating the serial number
md5_hash = hashlib.md5()
md5_hash.update(str(uuid.uuid4()))
serial = int(md5_hash.hexdigest(), 24)
# Generating the certificate
ca_cert = crypto.X509()
if "C" in json['subjectDN']:
ca_cert.get_subject().C = json['subjectDN']['C']
if "O" in json['subjectDN']:
ca_cert.get_subject().O = json['subjectDN']['O']
if "OU" in json['subjectDN']:
ca_cert.get_subject().OU = json['subjectDN']['OU']
if "CN" in json['subjectDN']:
ca_cert.get_subject().CN = json['subjectDN']['CN']
ca_cert.set_version(2)
ca_cert.set_serial_number(serial)
ca_cert.gmtime_adj_notBefore(0)
ca_cert.gmtime_adj_notAfter(
int((self.expires_in - datetime.datetime.now()).total_seconds()))
ca_cert.set_pubkey(self.pKey)
ca_cert.set_issuer(ca_cert.get_subject())
ca_cert.add_extensions([
crypto.X509Extension("basicConstraints", True, "CA:TRUE"),
crypto.X509Extension("keyUsage", True, "keyCertSign, cRLSign"),
crypto.X509Extension("subjectKeyIdentifier",
False,
"hash",
subject=ca_cert),
crypto.X509Extension("authorityKeyIdentifier",
False,
'keyid,issuer',
issuer=ca_cert)
])
# Signing the key
ca_cert.sign(self.pKey, str(json['hash']))
# Setting the public key
self.public = crypto.dump_certificate(crypto.FILETYPE_PEM, ca_cert)
def dummy_cert(commonname, certdir = 'crt', ca = 'APPP.pks', sans = ''):
if not os.path.exists(certdir):
os.makedirs(certdir)
namehash = sha256(commonname.encode()).hexdigest()
certpath = os.path.join(certdir, namehash + ".pem")
if os.path.exists(certpath) and os.path.getsize(certpath) > 0:
logger.debug('Certificate for %s already exists.', commonname)
return certpath
logger.debug('Creating certificate for %s.', commonname)
ss = []
for i in sans:
ss.append("DNS: %s"%i)
ss = ", ".join(ss).encode()
if ca:
f = open(ca, "r")
raw = f.read()
ca = crypto.load_certificate(crypto.FILETYPE_PEM, raw)
key = crypto.load_privatekey(crypto.FILETYPE_PEM, raw)
f.close()
else:
return None
req = crypto.X509Req()
subj = req.get_subject()
subj.CN = commonname
req.set_pubkey(ca.get_pubkey())
req.sign(key, "sha1")
if ss:
req.add_extensions([crypto.X509Extension(b"subjectAltName", True, ss)])
cert = crypto.X509()
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(60 * 60 * 24 * 3652)
cert.set_issuer(ca.get_subject())
cert.set_subject(req.get_subject())
cert.set_serial_number(int(time()*10000))
if ss:
cert.add_extensions([crypto.X509Extension(b"subjectAltName", True, ss)])
cert.set_pubkey(req.get_pubkey())
cert.sign(key, "sha1")
f = open(certpath, "w+b")
f.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
f.close()
return certpath
