def cmd_init(workingdir): cwd = os.getcwd() try: common.ch_dir(workingdir,logger) rmfiles("*.pem") rmfiles("*.crt") rmfiles("*.zip") rmfiles("*.der") rmfiles("private.yml") if common.CA_IMPL=='cfssl': pk_str, cacert, ca_pk, _ = ca_impl.mk_cacert() elif common.CA_IMPL=='openssl': cacert, ca_pk, _ = ca_impl.mk_cacert() else: raise Exception("Unknown CA implementation: %s"%common.CA_IMPL) priv=read_private() # write out keys with open('cacert.crt', 'wb') as f: f.write(cacert.as_pem()) f = BIO.MemoryBuffer() ca_pk.save_key_bio(f,None) priv[0]['ca']=f.getvalue() f.close() # store the last serial number created. # the CA is always serial # 1 priv[0]['lastserial'] = 1 write_private(priv) ca_pk.get_rsa().save_pub_key('ca-public.pem') # generate an empty crl if common.CA_IMPL=='cfssl': crl = ca_impl.gencrl([],cacert.as_pem(), pk_str) elif common.CA_IMPL=='openssl': crl = ca_impl.gencrl([],cacert.as_pem(),str(priv[0]['ca'])) else: raise Exception("Unknown CA implementation: %s"%common.CA_IMPL) if isinstance(crl, str): crl = crl.encode('utf-8') with open('cacrl.der','wb') as f: f.write(crl) convert_crl_to_pem("cacrl.der","cacrl.pem") # Sanity checks... cac = X509.load_cert('cacert.crt') if cac.verify(): logger.info("CA certificate created successfully in %s"%workingdir) else: logger.error("ERROR: Cert does not self validate") finally: os.chdir(cwd)
def test_cfssl(self): _ = ca_impl_cfssl.mk_cacert("my ca") (ca_cert, ca_pk, _) = ca_impl_cfssl.mk_cacert() cert, _ = ca_impl_cfssl.mk_signed_cert(ca_cert, ca_pk, "cert", _) pubkey = ca_cert.public_key() try: pubkey.verify( cert.signature, cert.tbs_certificate_bytes, padding.PKCS1v15(), cert.signature_hash_algorithm, ) except crypto_exceptions.InvalidSignature: self.fail("Certificate signature validation failed.")
def cmd_init(workingdir): cwd = os.getcwd() try: fs_util.ch_dir(workingdir) rmfiles("*.pem") rmfiles("*.crt") rmfiles("*.zip") rmfiles("*.der") rmfiles("private.yml") cacert, ca_pk, _ = ca_impl.mk_cacert() # pylint: disable=W0632 priv = read_private() # write out keys with open('cacert.crt', 'wb') as f: f.write(cacert.public_bytes(serialization.Encoding.PEM)) priv[0]['ca'] = ca_pk.private_bytes( encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.PKCS8, encryption_algorithm=serialization.NoEncryption(), ) # store the last serial number created. # the CA is always serial # 1 priv[0]['lastserial'] = 1 write_private(priv) with os.fdopen(os.open("ca-public.pem", os.O_WRONLY | os.O_CREAT, 0o600), 'wb') as f: f.write(ca_pk.public_key().public_bytes( encoding=serialization.Encoding.PEM, format=serialization.PublicFormat.SubjectPublicKeyInfo )) # generate an empty crl cacert_str = cacert.public_bytes(serialization.Encoding.PEM).decode() crl = ca_impl.gencrl([], cacert_str, priv[0]['ca'].decode()) if isinstance(crl, str): crl = crl.encode('utf-8') with open('cacrl.der', 'wb') as f: f.write(crl) convert_crl_to_pem("cacrl.der", "cacrl.pem") # Sanity checks... cac = load_cert_by_path('cacert.crt') pubkey = cacert.public_key() pubkey.verify( cac.signature, cac.tbs_certificate_bytes, padding.PKCS1v15(), cac.signature_hash_algorithm, ) logger.info("CA certificate created successfully in %s", workingdir) except crypto_exceptions.InvalidSignature: logger.error("ERROR: Cert does not self validate") finally: os.chdir(cwd)