Пример #1
0
 def _create(self, hostname='localhost'):
     # Make the RSA key
     self.rsakey = RSA.gen_key(2048, m2.RSA_F4)
     if self.secure:
         # Save the key, AES256-CBC encrypted
         self.rsakey.save_key(self.keyfile, 'aes_256_cbc')
     else:
         # Save the key unencrypted.
         self.rsakey.save_key(self.keyfile, None, callback=m2util.no_passphrase_callback)
     # Make the public key
     pkey = EVP.PKey()
     pkey.assign_rsa(self.rsakey, 0)
     # Generate the certificate
     self.cert = X509.X509()
     self.cert.set_serial_number(long(bttime()))
     self.cert.set_version(0x2)
     self.cert.set_pubkey(pkey)
     # Set the name on the certificate
     name = X509.X509_Name()
     name.CN = hostname
     self.cert.set_subject(name)
     self.cert.set_issuer(name)
     # Set the period of time the cert is valid for (5 years from issue)
     notBefore = m2.x509_get_not_before(self.cert.x509)
     notAfter = m2.x509_get_not_after(self.cert.x509)
     m2.x509_gmtime_adj(notBefore, 0)
     m2.x509_gmtime_adj(notAfter, 60*60*24*365*5)
     # Sign the certificate
     self.cert.sign(pkey, 'sha1')
     # Save it
     self.cert.save_pem(self.certfile)
Пример #2
0
    def generate_ssl_credential(self,
                                hostname,
                                lifetime=24 * 60 * 60,
                                sign_hash="sha1"):
        """Generate credentials for a given target.

        Returns a tuple of X509 certificate and EVP key."""
        cert = X509.X509()
        cert.set_serial_number(self._get_next_serial_number())
        cert.set_version(2)
        name = self.get_relative_subject()
        name.CN = hostname
        cert.set_subject(name)
        cert.set_issuer(self.cert.get_subject())
        cert.set_pubkey(self.service_key)
        notBefore = m2.x509_get_not_before(cert.x509)
        notAfter = m2.x509_get_not_after(cert.x509)
        m2.x509_gmtime_adj(notBefore, 0)
        m2.x509_gmtime_adj(notAfter, lifetime)
        ext = X509.new_extension('basicConstraints', 'CA:FALSE')
        ext.set_critical()
        cert.add_ext(ext)
        ext = X509.new_extension('keyUsage',
                                 'digitalSignature, keyEncipherment')
        ext.set_critical()
        cert.add_ext(ext)
        cert.sign(self.key, sign_hash)
        return cert, self.service_key
Пример #3
0
    def generate_ssl_credential(self,
                                hostname,
                                
                                lifetime=24*60*60,
                                sign_hash="sha1"):
        """Generate credentials for a given target.

        Returns a tuple of X509 certificate and EVP key."""
        cert = X509.X509()
        cert.set_serial_number(self._get_next_serial_number())
        cert.set_version(2)
        name = self.get_relative_subject()
        name.CN = hostname
        cert.set_subject(name)
        cert.set_issuer(self.cert.get_subject())
        cert.set_pubkey(self.service_key)
        notBefore = m2.x509_get_not_before(cert.x509)
        notAfter  = m2.x509_get_not_after(cert.x509)
        m2.x509_gmtime_adj(notBefore, 0)
        m2.x509_gmtime_adj(notAfter, lifetime)
        ext = X509.new_extension('basicConstraints', 'CA:FALSE')
        ext.set_critical()
        cert.add_ext(ext)
        ext = X509.new_extension('keyUsage',
                                 'digitalSignature, keyEncipherment')
        ext.set_critical()
        cert.add_ext(ext)
        cert.sign(self.key, sign_hash)
        return cert, self.service_key
Пример #4
0
 def _create(self, hostname='localhost'):
     # Make the RSA key
     self.rsakey = RSA.gen_key(2048, m2.RSA_F4)
     if self.secure:
         # Save the key, AES256-CBC encrypted
         self.rsakey.save_key(self.keyfile, 'aes_256_cbc')
     else:
         # Save the key unencrypted.
         self.rsakey.save_key(self.keyfile,
                              None,
                              callback=m2util.no_passphrase_callback)
     # Make the public key
     pkey = EVP.PKey()
     pkey.assign_rsa(self.rsakey, 0)
     # Generate the certificate
     self.cert = X509.X509()
     self.cert.set_serial_number(long(bttime()))
     self.cert.set_version(0x2)
     self.cert.set_pubkey(pkey)
     # Set the name on the certificate
     name = X509.X509_Name()
     name.CN = hostname
     self.cert.set_subject(name)
     self.cert.set_issuer(name)
     # Set the period of time the cert is valid for (5 years from issue)
     notBefore = m2.x509_get_not_before(self.cert.x509)
     notAfter = m2.x509_get_not_after(self.cert.x509)
     m2.x509_gmtime_adj(notBefore, 0)
     m2.x509_gmtime_adj(notAfter, 60 * 60 * 24 * 365 * 5)
     # Sign the certificate
     self.cert.sign(pkey, 'sha1')
     # Save it
     self.cert.save_pem(self.certfile)
Пример #5
0
 def get_not_after(self):
     assert m2.x509_type_check(self.x509), "'x509' type error"
     out = ASN1.ASN1_UTCTIME(m2.x509_get_not_after(self.x509))
     if 'Bad time value' in str(out):
         raise X509Error('''M2Crypto cannot handle dates after year 2050.
             See RFC 5280 4.1.2.5 for more information.
             ''')
     return out
Пример #6
0
 def _set_duration(self, cert):
     """Set certificate duration; return certificate object."""
     notBefore = m2.x509_get_not_before(cert.x509)
     notAfter = m2.x509_get_not_after(cert.x509)
     days = self.signca.ca_def_duration
     common.is_number(days)
     m2.x509_gmtime_adj(notBefore, 0)
     m2.x509_gmtime_adj(notAfter, 60*60*24*int(days))
     return cert
Пример #7
0
Файл: ca.py Проект: mattmb/spoke
 def _set_duration(self, cert):
     """Set certificate duration; return certificate object."""
     notBefore = m2.x509_get_not_before(cert.x509)
     notAfter = m2.x509_get_not_after(cert.x509)
     days = self.signca.ca_def_duration
     common.is_number(days)
     m2.x509_gmtime_adj(notBefore, 0)
     m2.x509_gmtime_adj(notAfter, 60 * 60 * 24 * int(days))
     return cert
Пример #8
0
 def get_not_after(self):
     assert m2.x509_type_check(self.x509), "'x509' type error"
     out = ASN1.ASN1_UTCTIME(m2.x509_get_not_after(self.x509))
     if 'Bad time value' in str(out):
         raise X509Error(
             '''M2Crypto cannot handle dates after year 2050.
             See RFC 5280 4.1.2.5 for more information.
             ''')
     return out
Пример #9
0
def makeCert(req, caPkey, issuer, client_cert = False, group = None):
    pkey = req.get_pubkey()
    #woop = makePKey(generateRSAKey())
    #if not req.verify(woop.pkey):
    if not req.verify(pkey):
        # XXX What error object should I use?
        raise ValueError, 'Error verifying request'
    sub = req.get_subject()
    # If this were a real certificate request, you would display
    # all the relevant data from the request and ask a human operator
    # if you were sure. Now we just create the certificate blindly based
    # on the request.    
    cert = X509.X509()
    # We know we are making CA cert now...
    # Serial defaults to 0.
    cert.set_serial_number(1)
    cert.set_version(2)
    cert.set_subject(sub)
    cert.set_issuer(issuer)
    cert.set_pubkey(pkey)
    notBefore = m2.x509_get_not_before(cert.x509)
    notAfter  = m2.x509_get_not_after(cert.x509)
    m2.x509_gmtime_adj(notBefore, -1*60*60*24)
    days = 1095 # 3 year
    m2.x509_gmtime_adj(notAfter, 60*60*24*days)

    if client_cert:
        cert.add_ext(X509.new_extension('basicConstraints', 'CA:FALSE'))
        cert.add_ext(X509.new_extension('nsCertType', 'client'))
        cert.add_ext(X509.new_extension \
                        ('keyUsage', 'digitalSignature, keyEncipherment'))
        cert.add_ext(X509.new_extension('extendedKeyUsage', 'clientAuth'))
        if group:
            cert.add_ext(X509.new_extension('nsComment', 'group:%s' %group))
    else:
        ext = X509.new_extension('basicConstraints', 'CA:TRUE')
        ext.set_critical(1)
        cert.add_ext(ext)

        # Create the subject key identifier
        #modulus = cert.get_pubkey().get_modulus()
        #sha_hash = hashlib.sha1(modulus).digest()
        #sub_key_id = ":".join(["%02X"%ord(byte) for byte in sha_hash])
        cert.add_ext(X509.new_extension('subjectKeyIdentifier', 'hash'))

        cert.add_ext(X509.new_extension('authorityKeyIdentifier','keyid'))
    cert.sign(caPkey, 'sha1')
    return cert
Пример #10
0
def create_certificate(issuerPrivKey,
                       issuerInfo,
                       subjectPubKey,
                       subjectInfo,
                       validForDays,
                       serial,
                       version = 0,
                       hash = 'sha1'):
   """
   Create a certificate and return certificate (PEM, text, fingerprint).
   """

   ikey = RSA.load_key_bio(BIO.MemoryBuffer(issuerPrivKey))
   if ikey.check_key() != 1:
      raise Exception("invalid issuer RSA key")
   p_ikey = EVP.PKey(md = hash)
   p_ikey.assign_rsa(ikey)

   skey = RSA.load_pub_key_bio(BIO.MemoryBuffer(subjectPubKey))
   if skey.check_key() != 1:
      raise Exception("invalid subject RSA key")
   p_skey = EVP.PKey(md = hash)
   p_skey.assign_rsa(skey)

   cert = X509.X509()
   cert.set_pubkey(p_skey)

   issuer = x509name_from_info(issuerInfo)
   cert.set_issuer(issuer)

   subject = x509name_from_info(subjectInfo)
   cert.set_subject(subject)

   notBefore = m2.x509_get_not_before(cert.x509)
   notAfter = m2.x509_get_not_after(cert.x509)
   m2.x509_gmtime_adj(notBefore, 0)
   m2.x509_gmtime_adj(notAfter, 60 * 60 * 24 * validForDays)

   cert.set_serial_number(serial)
   cert.set_version(version)

   cert.sign(p_ikey, hash)
   return (cert.as_pem(), cert.as_text(), cert_fingerprint(cert))
Пример #11
0
def makeCert(req, caPkey):
    pkey = req.get_pubkey()
    # woop = makePKey(generateRSAKey())
    # if not req.verify(woop.pkey):
    if not req.verify(pkey):
        # XXX What error object should I use?
        raise ValueError('Error verifying request')
    sub = req.get_subject()
    # If this were a real certificate request, you would display
    # all the relevant data from the request and ask a human operator
    # if you were sure. Now we just create the certificate blindly based
    # on the request.
    cert = X509.X509()
    # We know we are making CA cert now...
    # Serial defaults to 0.
    cert.set_serial_number(1)
    cert.set_version(2)
    cert.set_subject(sub)
    issuer = X509.X509_Name()
    issuer.CN = 'The Issuer Monkey'
    issuer.O = 'The Organization Otherwise Known as My CA, Inc.'
    cert.set_issuer(issuer)
    cert.set_pubkey(pkey)
    notBefore = m2.x509_get_not_before(cert.x509)
    notAfter = m2.x509_get_not_after(cert.x509)
    m2.x509_gmtime_adj(notBefore, 0)
    days = 30
    m2.x509_gmtime_adj(notAfter, 60 * 60 * 24 * days)
    cert.add_ext(X509.new_extension('subjectAltName',
                                    'DNS:foobar.example.com'))
    ext = X509.new_extension('nsComment', 'M2Crypto generated certificate')
    ext.set_critical(0)  # Defaults to non-critical, but we can also set it
    cert.add_ext(ext)
    cert.sign(caPkey, 'sha1')

    assert (cert.get_ext('subjectAltName').get_name() == 'subjectAltName')
    assert (cert.get_ext_at(0).get_name() == 'subjectAltName')
    assert (cert.get_ext_at(0).get_value() == 'DNS:foobar.example.com')

    return cert
Пример #12
0
def makeCert(req, caPkey):
    pkey = req.get_pubkey()
    # woop = makePKey(generateRSAKey())
    # if not req.verify(woop.pkey):
    if not req.verify(pkey):
        # XXX What error object should I use?
        raise ValueError('Error verifying request')
    sub = req.get_subject()
    # If this were a real certificate request, you would display
    # all the relevant data from the request and ask a human operator
    # if you were sure. Now we just create the certificate blindly based
    # on the request.
    cert = X509.X509()
    # We know we are making CA cert now...
    # Serial defaults to 0.
    cert.set_serial_number(1)
    cert.set_version(2)
    cert.set_subject(sub)
    issuer = X509.X509_Name()
    issuer.CN = 'The Issuer Monkey'
    issuer.O = 'The Organization Otherwise Known as My CA, Inc.'
    cert.set_issuer(issuer)
    cert.set_pubkey(pkey)
    notBefore = m2.x509_get_not_before(cert.x509)
    notAfter = m2.x509_get_not_after(cert.x509)
    m2.x509_gmtime_adj(notBefore, 0)
    days = 30
    m2.x509_gmtime_adj(notAfter, 60 * 60 * 24 * days)
    cert.add_ext(
        X509.new_extension('subjectAltName', 'DNS:foobar.example.com'))
    ext = X509.new_extension('nsComment', 'M2Crypto generated certificate')
    ext.set_critical(0)  # Defaults to non-critical, but we can also set it
    cert.add_ext(ext)
    cert.sign(caPkey, 'sha1')

    assert(cert.get_ext('subjectAltName').get_name() == 'subjectAltName')
    assert(cert.get_ext_at(0).get_name() == 'subjectAltName')
    assert(cert.get_ext_at(0).get_value() == 'DNS:foobar.example.com')

    return cert
Пример #13
0
def main(argv=None):
    # Do argv default this way, as doing it in the functional
    # declaration sets it at compile time.
    if argv is None:
        argv = sys.argv

    # Set up out output via logging module
    output = logging.getLogger(argv[0])
    output.setLevel(logging.DEBUG)
    output_handler = logging.StreamHandler(sys.stdout)  # Default is sys.stderr
    # Set up formatter to just print message without preamble
    output_handler.setFormatter(logging.Formatter("%(message)s"))
    output.addHandler(output_handler)

    # Argument parsing
    parser = argparse.ArgumentParser(
        description=__doc__, # printed with -h/--help
        formatter_class=argparse.ArgumentDefaultsHelpFormatter,
        )
    # Only allow one of debug/quiet mode
    verbosity_group = parser.add_mutually_exclusive_group()
    verbosity_group.add_argument("-d", "--debug",
                                 action='store_const', const=logging.DEBUG,
                                 dest="output_level", default=logging.INFO,
                                 help="print debugging")
    verbosity_group.add_argument("-q", "--quiet",
                                 action="store_const", const=logging.WARNING,
                                 dest="output_level",
                                 help="run quietly")
    parser.add_argument("-k", "--keylength", type=int, default=2048,
                        help="specify key length", metavar="length")
    parser.add_argument("-C", "--cn", type=str, default="My Service",
                        help="specify CommonName component", metavar="cn")
    parser.add_argument("-O", "--org", type=str, default="My Org",
                        help="specify Org component", metavar="org")
    parser.add_argument("-l", "--lifetime", type=int, default=365,
                        help="specify certificate lifetime in days",
                        metavar="days")
    parser.add_argument("--version", action="version", version="%(prog)s 1.0")
    parser.add_argument("ca_certFile", metavar="path", type=str, nargs="?",
                        default="ca-cert.pem",
                        help="where to save PEM-encoded certificate")
    parser.add_argument("ca_keyFile", metavar="path", type=str, nargs="?",
                        default="ca-key.pem",
                        help="where to save PEM-encoded key")
    parser.add_argument("certFile", metavar="path", type=str, nargs="?",
                        default="cert.pem",
                        help="where to save PEM-encoded certificate")
    parser.add_argument("keyFile", metavar="path", type=str, nargs="?",
                        default="key.pem",
                        help="where to save PEM-encoded key")
    args = parser.parse_args()
    output_handler.setLevel(args.output_level)

    output.info("Loading CA credentials...")
    ca_cert = X509.load_cert(args.ca_certFile)
    ca_key = EVP.load_key(args.ca_keyFile)

    output.info("Generating keys...")
    rsa_key = RSA.gen_key(args.keylength, m2.RSA_F4)
    key = EVP.PKey()
    key.assign_rsa(rsa_key)

    output.info("Generating certificate...")
    cert = X509.X509()
    cert.set_serial_number(ca_cert.get_serial_number() + 1)
    cert.set_version(2)
    name = X509.X509_Name()
    name.CN = args.cn
    name.O = args.org
    cert.set_subject(name)
    cert.set_issuer(name)
    cert.set_pubkey(key)
    notBefore = m2.x509_get_not_before(cert.x509)
    notAfter  = m2.x509_get_not_after(cert.x509)
    m2.x509_gmtime_adj(notBefore, 0)
    m2.x509_gmtime_adj(notAfter, args.lifetime * 60 * 60 * 24)
    ext = X509.new_extension('basicConstraints', 'CA:FALSE')
    ext.set_critical()
    cert.add_ext(ext)
    ext = X509.new_extension('keyUsage', 'digitalSignature, keyEncipherment')
    ext.set_critical()
    cert.add_ext(ext)
    cert.sign(key, 'sha1')
    output.info("Saving certificate to {}".format(args.certFile))
    cert.save_pem(args.certFile)
    output.info("Saving private key to {}".format(args.keyFile))
    key.save_key(args.keyFile, cipher=None)  # cipher=None -> save in the clear
    output.info("Success.")

    return(0)
Пример #14
0
    def _make_valid_expiry(self, days=365):
        not_before = m2.x509_get_not_before(self._x509._ptr())
        not_after = m2.x509_get_not_after(self._x509._ptr())

        m2.x509_gmtime_adj(not_before, 0)
        m2.x509_gmtime_adj(not_after, days * 24 * 60 * 60)
Пример #15
0
    def _make_valid_expiry(self, days=365):
        not_before = m2.x509_get_not_before(self._x509._ptr())
        not_after  = m2.x509_get_not_after(self._x509._ptr())

        m2.x509_gmtime_adj(not_before, 0)
        m2.x509_gmtime_adj(not_after, days * 24 * 60 * 60)