def test_x509_name(self): n = X509.X509_Name() n.C = 'US' # It seems this actually needs to be a real 2 letter country code n.SP = 'State or Province' n.L = 'locality name' n.O = 'orhanization name' n.OU = 'org unit' n.CN = 'common name' n.Email = '*****@*****.**' n.serialNumber = '1234' n.SN = 'surname' n.GN = 'given name' n.givenName = 'name given' assert len(n) == 11, len(n) tl = map(x509_name_entry2tuple, x509_name2list(n)) assert len(tl) == len(n), len(tl) x509_n = m2.x509_name_new() for o in map(tuple2x509_name_entry, tl): m2.x509_name_add_entry(x509_n, o._ptr(), -1, 0) o._pyfree = 0 # Take care of underlying object n1 = X509.X509_Name(x509_n) assert n.as_text() == n1.as_text(), n1.as_text()
def test_x509_name(self): n = X509.X509_Name() # It seems this actually needs to be a real 2 letter country code n.C = b'US' n.SP = b'State or Province' n.L = b'locality name' n.O = b'orhanization name' n.OU = b'org unit' n.CN = b'common name' n.Email = b'*****@*****.**' n.serialNumber = b'1234' n.SN = b'surname' n.GN = b'given name' n.givenName = b'name given' self.assertEqual(len(n), 11, len(n)) # Thierry: this call to list seems extraneous... tl = [x509_name_entry2tuple(x) for x in x509_name2list(n)] self.assertEqual(len(tl), len(n), len(tl)) x509_n = m2.x509_name_new() for o in [tuple2x509_name_entry(x) for x in tl]: m2.x509_name_add_entry(x509_n, o._ptr(), -1, 0) o._pyfree = 0 # Take care of underlying object n1 = X509.X509_Name(x509_n) self.assertEqual(n.as_text(), n1.as_text(), n1.as_text())
def get_x509_proxy(self, request_pem, issuer=None, subject=None, private_key=None): """ Generate a X509 proxy based on the request Args: requestPEM: The request PEM encoded issuer: The issuer user subject: The subject of the proxy. If None, issuer/CN=proxy will be used Returns: A X509 proxy PEM encoded """ if issuer is None: issuer = [('DC', 'ch'), ('DC', 'cern'), ('CN', 'Test User')] if subject is None: subject = issuer + [('CN', 'proxy')] x509_request = X509.load_request_string(str(request_pem)) not_before = ASN1.ASN1_UTCTIME() not_before.set_datetime(datetime.now(UTC)) not_after = ASN1.ASN1_UTCTIME() not_after.set_datetime(datetime.now(UTC) + timedelta(hours=3)) issuer_subject = X509.X509_Name() for c in issuer: issuer_subject.add_entry_by_txt(c[0], 0x1000, c[1], -1, -1, 0) proxy_subject = X509.X509_Name() for c in subject: proxy_subject.add_entry_by_txt(c[0], 0x1000, c[1], -1, -1, 0) proxy = X509.X509() proxy.set_version(2) proxy.set_subject(proxy_subject) proxy.set_serial_number(int(time.time())) proxy.set_version(x509_request.get_version()) proxy.set_issuer(issuer_subject) proxy.set_pubkey(x509_request.get_pubkey()) proxy.set_not_after(not_after) proxy.set_not_before(not_before) if not private_key: proxy.sign(self.pkey, 'sha1') else: proxy.sign(private_key, 'sha1') return proxy.as_pem() + self.cert.as_pem()
def genSignature(privkey, sig_domain="WangYang", sig_depart="", sig_organization="IIE", sig_province="Beijing", sig_locale="Beijing"): #首先载入密钥文件。此文件同时保存了申请者的私钥与公钥。 pkey=EVP.load_key_string(privkey, util.no_passphrase_callback) req=X509.Request() req.set_pubkey(pkey) #包含公钥 #req.set_version(1) #身份信息不是简单的字符串。而是X509_Name对象。 name=X509.X509_Name() #CN是Common Name的意思。如果是一个网站的电子证书,就要写成网站的域名 name.CN = sig_domain # "WangYang" # 普通名字 #Organization Unit,通常是指部门吧,组织内单元 name.OU = sig_depart # "SKLOIS" #Organization。通常是指公司 name.O = sig_organization # "IIE" #State or Province。州或者省 name.ST = sig_province # "Beijing" #Locale。 name.L = sig_locale # "Beijing" #国家。不能直接写国家名字,比如China之类的,而应该是国家代码。 #CN代表中国。US代表美国,JP代表日本 name.C="CN" # 国家名称 req.set_subject(name) #包含通信节点的身份信息 req.sign(pkey, "sha256") #使用通信节点的密钥进行签名,sha1已经不安全了,这里使用sha256 signature = req.as_pem() return signature
def helper_generate_certificate(self, pkey): """Create a self-signed x509 certificate.""" name = X509.X509_Name() name.C = 'NO' name.ST = 'Oslo' name.L = 'Oslo' name.O = 'University of Oslo' name.OU = 'Cerebrumtesting' name.CN = '127.0.0.1' name.emailAddress = '*****@*****.**' cert = X509.X509() cert.set_version(2) cert.set_serial_number(1) cert.set_subject(name) t = long(time.time()) + time.timezone now = ASN1.ASN1_UTCTIME() now.set_time(t) end = ASN1.ASN1_UTCTIME() end.set_time(t + 60 * 60 * 24 * 365 * 10) cert.set_not_before(now) cert.set_not_after(end) cert.set_issuer(name) cert.set_pubkey(pkey) #ext = X509.new_extension('subjectAltName', 'DNS:localhost') #ext.set_critical(0) #cert.add_ext(ext) cert.sign(pkey, 'sha1') return cert
def _create(self, hostname='localhost'): # Make the RSA key self.rsakey = RSA.gen_key(2048, m2.RSA_F4) if self.secure: # Save the key, AES256-CBC encrypted self.rsakey.save_key(self.keyfile, 'aes_256_cbc') else: # Save the key unencrypted. self.rsakey.save_key(self.keyfile, None, callback=m2util.no_passphrase_callback) # Make the public key pkey = EVP.PKey() pkey.assign_rsa(self.rsakey, 0) # Generate the certificate self.cert = X509.X509() self.cert.set_serial_number(long(bttime())) self.cert.set_version(0x2) self.cert.set_pubkey(pkey) # Set the name on the certificate name = X509.X509_Name() name.CN = hostname self.cert.set_subject(name) self.cert.set_issuer(name) # Set the period of time the cert is valid for (5 years from issue) notBefore = m2.x509_get_not_before(self.cert.x509) notAfter = m2.x509_get_not_after(self.cert.x509) m2.x509_gmtime_adj(notBefore, 0) m2.x509_gmtime_adj(notAfter, 60 * 60 * 24 * 365 * 5) # Sign the certificate self.cert.sign(pkey, 'sha1') # Save it self.cert.save_pem(self.certfile)
def name_from_options(options): name = X509.X509_Name() for field in ('C', 'ST', 'L', 'O', 'OU', 'CN'): value = getattr(options, field) if value: setattr(name, field, value) return name, []
def gen_cert(): """ Generate TLS certificate request for testing """ req, key = gen_req() pub_key = req.get_pubkey() subject = req.get_subject() cert = X509.X509() # noinspection PyTypeChecker cert.set_serial_number(1) cert.set_version(2) cert.set_subject(subject) t = int(time.time()) now = ASN1.ASN1_UTCTIME() now.set_time(t) now_plus_year = ASN1.ASN1_UTCTIME() now_plus_year.set_time(t + 60 * 60 * 24 * 365) cert.set_not_before(now) cert.set_not_after(now_plus_year) issuer = X509.X509_Name() issuer.C = 'US' issuer.CN = 'minifi-listen' cert.set_issuer(issuer) cert.set_pubkey(pub_key) cert.sign(key, 'sha256') return cert, key
def on_generate(self, cr, uid, ids, context=None): if context is None: context = {} active_ids = context['active_ids'] pairkey_obj = self.pool.get('crypto.pairkey') r_ids = [] for wizard in self.browse(cr, uid, ids): try: name = X509.X509_Name() if wizard.name_c: name.C = wizard.name_c if wizard.name_sp: name.SP = wizard.name_sp if wizard.name_l: name.L = wizard.name_l if wizard.name_o: name.O = wizard.name_o if wizard.name_ou: name.OU = wizard.name_ou if wizard.name_cn: name.CN = wizard.name_cn if wizard.name_gn: name.GN = wizard.name_gn if wizard.name_sn: name.SN = wizard.name_sn if wizard.name_email: name.EMail = wizard.name_email if wizard.name_serialnumber: name.serialNumber = wizard.name_serialnumber r = pairkey_obj.generate_certificate_request( cr, uid, active_ids, name) r_ids.extend([r[_id] for _id in active_ids]) except Exception, m: raise osv.except_osv(_('Error'), m)
def set_cacert(cert, CN=None, C=None, O=None, OU=None, Email=None): """Set the SubjectAltName, Issuer and Subject :param CN: certificate commonName :param C: certificate countryName :param O: certificate organizationName :param OU: certificate organizationalUnitName :param Email: certificate emailAddress :type CN: string :type C: string :type O: string :type OU: string :type Email: string :param cert: x509 certificate :type cert: X509.X509 :return: x509 certificate :rtype: X509.X509 """ x509_name = X509.X509_Name() x509_name.O = O x509_name.OU = OU x509_name.CN = CN x509_name.Email = Email cert.set_issuer(x509_name) # ext = X509.new_extension('subjectAltName', 'DNS:foobar.example.com') # ext.set_critical(0)# Defaults to non-critical, but we can also set it # cert.add_ext(ext) return cert
def set_cert_xmppwebid(cert, id_xmpp, webid): """Set the SubjectAltName, Issuer and Subject :param cert: x509 certificate :type cert: X509.X509 :param id_xmpp: xmpp id :param webid: FOAF WebId :type id_xmpp: string :type webid: string :return: x509 certificate :rtype: X509.X509 """ # optional # the issuer is going to be the same as subject x509_name = X509.X509_Name() x509_name.O = O x509_name.OU = OU x509_name.CN = CN cert.set_issuer(x509_name) # set subjectAltName extension ext = X509.new_extension( 'subjectAltName', 'URI:%s, otherName:%s;UTF8:%s' % (webid, ID_ON_XMPPADDR_OID, id_xmpp)) ext.set_critical(1) cert.add_ext(ext) return cert
def set_csr_subject(csr, CN=None, C=None, O=None, OU=None, Email=None): """Set the CSR Subject data :param CN: certificate commonName :param C: certificate countryName :param O: certificate organizationName :param OU: certificate organizationalUnitName :param Email: certificate emailAddress :type CN: string :type C: string :type O: string :type OU: string :type Email: string :return: x509 request :rtype: X509.Request """ x509_name = X509.X509_Name() x509_name.CN = CN x509_name.C = C x509_name.O = O x509_name.OU = OU x509_name.Email = Email csr.set_subject_name(x509_name) return csr
def mk_ca(): r, pk = req('ca') pkey = r.get_pubkey() sub = r.get_subject() cert = X509.X509() cert.set_version(2) cert.set_subject(sub) cert.set_serial_number(0) issuer = X509.X509_Name() issuer.C = sub.C issuer.O = sub.O issuer.CN = sub.CN cert.set_issuer(issuer) cert.set_pubkey(pkey) cert.set_not_before(before) cert.set_not_after(after) ext = X509.new_extension('basicConstraints', 'CA:TRUE') cert.add_ext(ext) cert.sign(pk, 'sha256') saveTextPemKey(cert, 'ca') return cert, pk
def generate_certificate( self, aca_cert, btc_address=None, pkey=None, ): if pkey is None and btc_address is None: pkey, btc_address = self.generate_keys() self.btc_address = btc_address issuer = aca_cert.get_issuer() # Creating a certificate cert = X509.X509() # Set issuer cert.set_issuer(issuer) # Generate CS information cert_name = X509.X509_Name() cert_name.C = 'CT' cert_name.ST = 'Barcelona' cert_name.L = 'Bellaterra' cert_name.O = 'UAB' cert_name.OU = 'DEIC' cert_name.CN = btc_address cert.set_subject_name(cert_name) # Set public_key cert.set_pubkey(pkey) # Time for certificate to stay valid cur_time = ASN1.ASN1_UTCTIME() cur_time.set_time(int(time())) # Expire certs in 1 year. expire_time = ASN1.ASN1_UTCTIME() expire_time.set_time(int(time()) + 60 * 60 * 24 * 365) # Set the validity cert.set_not_before(cur_time) cert.set_not_after(expire_time) # Sign the certificate using the same key type the CA is going to use later # The resulting signature will not be used, it is only for setting the corresponding field into the certificate rsa_keys = RSA.gen_key(2046, 65537, callback=lambda x, y, z: None) rsa_pkey = EVP.PKey() rsa_pkey.assign_rsa(rsa_keys) cert.sign(rsa_pkey, md='sha256') # Load the Certificate as a ASN.1 object and extract the TBS Certificate (special thanks to Alex <*****@*****.**>) asn1_cert = decoder.decode(cert.as_der(), asn1Spec=Certificate())[0] tbs = asn1_cert.getComponentByName("tbsCertificate") # Compute the sha256 of the TBS Certificate tbs_der = encoder.encode(tbs) digest = sha256() digest.update(tbs_der) cert_hash = digest.digest() return asn1_cert, cert_hash
def CrearPedidoCertificado(self, cuit="", empresa="", nombre="pyafipws", filename="empresa.csr"): "Crear un certificate signing request (X509 CSR)" from M2Crypto import RSA, EVP, X509 # create the certificate signing request (CSR): self.x509_req = X509.Request () # normalizar encoding (reemplazar acentos, eñe, etc.) if isinstance(empresa, unicode): empresa = unicodedata.normalize('NFKD', empresa).encode('ASCII', 'ignore') if isinstance(nombre, unicode): nombre = unicodedata.normalize('NFKD', nombre).encode('ASCII', 'ignore') # subjet: C=AR/O=[empresa]/CN=[nombre]/serialNumber=CUIT [nro_cuit] x509name = X509.X509_Name () # default OpenSSL parameters: kwargs = {"type": 0x1000 | 1, "len": -1, "loc": -1, "set": 0} x509name.add_entry_by_txt(field='C', entry='AR', **kwargs) x509name.add_entry_by_txt(field='O', entry=empresa, **kwargs) x509name.add_entry_by_txt(field='CN', entry=nombre, **kwargs) x509name.add_entry_by_txt(field='serialNumber', entry="CUIT %s" % cuit, **kwargs) self.x509_req.set_subject_name(x509name) # sign the request with the previously created key (CrearClavePrivada) self.x509_req.set_pubkey (pkey=self.pkey) self.x509_req.sign(pkey=self.pkey, md='sha256') # save the CSR result to a file: f = open(filename, "w") f.write(self.x509_req.as_pem()) f.close()
def MakeCACert(common_name="grr", issuer_cn="grr_test", issuer_c="US"): """Generate a CA certificate. Args: common_name: Name for cert. issuer_cn: Name for issuer. issuer_c: Country for issuer. Returns: (Certificate, priv key, pub key). """ req, pk = MakeCSR(2048, common_name=common_name) pkey = req.get_pubkey() cert = X509.X509() cert.set_serial_number(1) cert.set_version(2) SetCertValidityDate(cert, days=3650) issuer = X509.X509_Name() issuer.C = issuer_c issuer.CN = issuer_cn cert.set_issuer(issuer) cert.set_subject(cert.get_issuer()) cert.set_pubkey(pkey) cert.add_ext(X509.new_extension("basicConstraints", "CA:TRUE")) cert.add_ext(X509.new_extension("subjectKeyIdentifier", cert.get_fingerprint())) cert.sign(pk, "sha256") return cert, pk, pkey
def __init__(self, parameters=None): """ Constructor """ super(DIRACCAProxyProvider, self).__init__(parameters) self.__X509Name = X509.X509_Name() self.log = gLogger.getSubLogger(__name__) # Initialize self.maxDict = {} self.minDict = {} self.bits = 2048 self.algoritm = 'sha256' self.match, self.supplied, self.optional = [], [], [] # Add not supported distributes names self.fs2nid = X509.X509_Name.nid.copy() self.fs2nid['DC'] = -1 self.fs2nid['domainComponent'] = -1 self.n2field = {} # nid: most short or specidied in CS distributes name self.n2fields = {} # nid: list of distributes names # Specify standart fields for field in self.fs2nid: if self.fs2nid[field] not in self.n2fields: self.n2fields[self.fs2nid[field]] = [] self.n2fields[self.fs2nid[field]].append(field) for nid in self.n2fields: for field in self.n2fields[nid]: if nid not in self.n2field: self.n2field[nid] = field self.n2field[nid] = len(field) < len(self.n2field[nid]) and field or self.n2field[nid]
def makeRequest(pk): """ Creates a new CSR from an RSA key :param pk: RSA key :return: CSR """ pkey = EVP.PKey() pkey.assign_rsa(pk) req = X509.Request() req.set_version(2) req.set_pubkey(pkey) name = X509.X509_Name() name.CN = 'cirosec gmbh' req.set_subject_name(name) ext1 = X509.new_extension('subjectAltName', 'DNS:foobar.example.com') ext2 = X509.new_extension('nsComment', 'Hello there') extstack = X509.X509_Extension_Stack() extstack.push(ext1) extstack.push(ext2) assert (extstack[1].get_name() == 'nsComment') req.add_extensions(extstack) req.sign(pkey, 'sha1') return req
def mk_cacert(name=None): """ Make a CA certificate. Returns the certificate, private key and public key. """ req, pk = mk_request(config.getint('ca','cert_bits'),config.get('ca','cert_ca_name')) pkey = req.get_pubkey() cert = X509.X509() cert.set_serial_number(1) cert.set_version(2) mk_cert_valid(cert,config.getint('ca','cert_ca_lifetime')) if name==None: name = config.get('ca','cert_ca_name') issuer = X509.X509_Name() issuer.C = config.get('ca','cert_country') issuer.CN = name issuer.ST = config.get('ca','cert_state') issuer.L = config.get('ca','cert_locality') issuer.O = config.get('ca','cert_organization') issuer.OU = config.get('ca','cert_org_unit') cert.set_issuer(issuer) cert.set_subject(cert.get_issuer()) cert.set_pubkey(pkey) cert.add_ext(X509.new_extension('basicConstraints', 'CA:TRUE')) cert.add_ext(X509.new_extension('subjectKeyIdentifier', str(cert.get_fingerprint()))) cert.add_ext(X509.new_extension('crlDistributionPoints','URI:http://localhost/crl.pem')) cert.add_ext(X509.new_extension('keyUsage', 'keyCertSign, cRLSign')) cert.sign(pk, 'sha256') return cert, pk, pkey
def _forceGenerateProxyForDN(self, dn, time, group=None): """ An additional helper method for creating a proxy without any substantial validation, it can be used for a specific case(such as testing) where just need to generate a proxy with specific DN on the fly. :param str dn: requested proxy DN :param int time: expired time in a seconds :param str group: if need to add DIRAC group :return: S_OK(tuple)/S_ERROR() -- contain proxy as chain and as string """ self.__X509Name = X509.X509_Name() result = self.__parseDN(dn) if not result['OK']: return result dnInfoDict = result['Value'] for field, values in dnInfoDict.items(): result = self.__fillX509Name(field, values) if not result['OK']: return result result = self.__createCertM2Crypto() if result['OK']: certStr, keyStr = result['Value'] chain = X509Chain() if chain.loadChainFromString(certStr)['OK'] and chain.loadKeyFromString(keyStr)['OK']: result = chain.generateProxyToString(time, rfc=True, diracGroup=group) if not result['OK']: return result chain = X509Chain() chain.loadProxyFromString(result['Value']) return S_OK((chain, result['Value']))
def create_self_signed_cert(rsa, subject={'CN': 'Testing'}, san=None): """ Creates a self-signed cert Pass in an RSA private key object Pass in a dictionary of subject name data, using C ST L O OU CN keys Pass in an optional san like 'DNS:example.com' Returns a X509.X509 object """ pk = EVP.PKey() pk.assign_rsa(rsa) name = X509.X509_Name() for key in ['C', 'ST', 'L', 'O', 'OU', 'CN']: if subject.get(key, None): setattr(name, key, subject[key]) cert = X509.X509() cert.set_serial_number(1) cert.set_version(2) t = long(time.time()) now = ASN1.ASN1_UTCTIME() now.set_time(t) expire = ASN1.ASN1_UTCTIME() expire.set_time(t + 365 * 24 * 60 * 60) cert.set_not_before(now) cert.set_not_after(expire) cert.set_issuer(name) cert.set_subject(name) cert.set_pubkey(pk) cert.add_ext(X509.new_extension('basicConstraints', 'CA:FALSE')) if san: cert.add_ext(X509.new_extension('subjectAltName', san)) cert.add_ext( X509.new_extension('subjectKeyIdentifier', cert.get_fingerprint())) cert.sign(pk, 'sha1') return cert
def make_proxycert(self, eecert): proxycert = X509.X509() pk2 = EVP.PKey() proxykey = RSA.gen_key(1024, 65537, self.callback) pk2.assign_rsa(proxykey) proxycert.set_pubkey(pk2) proxycert.set_version(2) not_before = ASN1.ASN1_UTCTIME() not_after = ASN1.ASN1_UTCTIME() not_before.set_time(int(time.time())) offset = 12 * 3600 not_after.set_time(int(time.time()) + offset) proxycert.set_not_before(not_before) proxycert.set_not_after(not_after) proxycert.set_issuer_name(eecert.get_subject()) proxycert.set_serial_number(12345678) issuer_name_string = eecert.get_subject().as_text() seq = issuer_name_string.split(",") subject_name = X509.X509_Name() for entry in seq: l = entry.split("=") subject_name.add_entry_by_txt(field=l[0].strip(), type=ASN1.MBSTRING_ASC, entry=l[1], len=-1, loc=-1, set=0) subject_name.add_entry_by_txt(field="CN", type=ASN1.MBSTRING_ASC, entry="Proxy", len=-1, loc=-1, set=0) proxycert.set_subject_name(subject_name) # XXX leaks 8 bytes pci_ext = X509.new_extension("proxyCertInfo", "critical,language:Inherit all", 1) proxycert.add_ext(pci_ext) return proxycert
def on_generate(self, cr, uid, ids, context): if context is None: context = {} active_ids = context['active_ids'] certificate_obj = self.pool.get('crypto.certificate') for wizard in self.browse(cr, uid, ids): name = X509.X509_Name() if wizard.name_c: name.C = wizard.name_c if wizard.name_sp: name.SP = wizard.name_sp if wizard.name_l: name.L = wizard.name_l if wizard.name_o: name.O = wizard.name_o if wizard.name_ou: name.OU = wizard.name_ou if wizard.name_cn: name.CN = wizard.name_cn if wizard.name_gn: name.GN = wizard.name_gn if wizard.name_sn: name.SN = wizard.name_sn if wizard.name_email: name.EMail = wizard.name_email if wizard.name_serialnumber: name.serialNumber = wizard.name_serialnumber certificate_obj.generate_certificate( cr, uid, active_ids, name, ext=None, serial_number=wizard.serial_number, version=wizard.version, date_begin=datetime.strptime(wizard.date_begin, '%Y-%m-%d'), date_end=datetime.strptime(wizard.date_end, '%Y-%m-%d')) return {'type': 'ir.actions.act_window_close'}
def _set_subject(self): """ Internal method that sets the subject name """ subject_name = X509.X509_Name() serial_number = self._make_serial_number(self._proxycert) issuer_name = self._usercert.get_subject() issuer_name_txt = issuer_name.as_text() seq = issuer_name_txt.split(",") for entry in seq: name_component = entry.split("=") subject_name.add_entry_by_txt(field=name_component[0].strip(), type=MBSTRING_ASC, entry=name_component[1], len=-1, loc=-1, set=0) subject_name.add_entry_by_txt(field="CN", type=MBSTRING_ASC, entry=str(serial_number), len=-1, loc=-1, set=0) self._proxycert.set_subject_name(subject_name)
def generate_certificate(csr, serial, cn): """Generate a certificate and sign it with CA. :param csr: Certificate Signing Request. See :class:`M2Crypto.X509.Request`. :param serial: Serial number of the certificate as long int. :param cn: Common Name of the certificate. :return: Generated + signed certificate. See :class:`M2Crypto.X509.X509`. """ ca_key = EVP.load_key(settings.PKI_CA_KEYFILE, lambda *args: None) ca_cert = X509.load_cert(settings.PKI_CA_CERTFILE) cert = X509.X509() cert.set_serial_number(serial) cert.set_version(2) csr_subject = csr.get_subject() subject = X509.X509_Name() for key in ('C', 'ST', 'L', 'O', 'OU'): original_value = getattr(csr_subject, key) if original_value: setattr(subject, key, original_value) subject.CN = cn cert.set_subject(subject) t = long(time.time()) + time.timezone now = ASN1.ASN1_UTCTIME() now.set_time(t) now_plus_year = ASN1.ASN1_UTCTIME() now_plus_year.set_time(t + 60 * 60 * 24 * 365) cert.set_not_before(now) cert.set_not_after(now_plus_year) cert.set_issuer(ca_cert.get_subject()) cert.set_pubkey(csr.get_pubkey()) cert.sign(ca_key, 'sha1') return cert
def mk_request(bits, CN, C, ST, L, O, OU): """Create a X509 request with the given number of bits in they key. :param bits: number of RSA key bits :param CN: Common Name field :param C: Country Name :param ST: State or province name :param L: Locality :param O: Organization :param OU: Organization Unit :returns: a X509 request and the private key (EVP) """ pk = EVP.PKey() x = X509.Request() rsa = RSA.gen_key(bits, 65537, lambda: None) pk.assign_rsa(rsa) x.set_pubkey(pk) subject_name = X509.X509_Name() subject_name.add_entry_by_txt(field="CN", type=ASN1.MBSTRING_ASC, entry=CN or "", len=-1, loc=-1, set=0) subject_name.add_entry_by_txt(field="C", type=ASN1.MBSTRING_ASC, entry=C or "", len=-1, loc=-1, set=0) subject_name.add_entry_by_txt(field="ST", type=ASN1.MBSTRING_ASC, entry=ST or "", len=-1, loc=-1, set=0) subject_name.add_entry_by_txt(field="L", type=ASN1.MBSTRING_ASC, entry=L or "", len=-1, loc=-1, set=0) subject_name.add_entry_by_txt(field="O", type=ASN1.MBSTRING_ASC, entry=O or "", len=-1, loc=-1, set=0) subject_name.add_entry_by_txt(field="OU", type=ASN1.MBSTRING_ASC, entry=OU or "", len=-1, loc=-1, set=0) x.set_subject_name(subject_name) x.sign(pk, 'sha256') return x, pk
def _populated_x509_name(components): """ Generates a populated X509_Name with the entries passed in components """ x509_name = X509.X509_Name() for field, value in components: x509_name.add_entry_by_txt(field, 0x1000, value, len=-1, loc=-1, set=0) return x509_name
def _create_cert(key, webid_uri, time_len=365): key_dir = jongau.settings.key_dir key_path = os.path.join(key_dir, key['filename']) rsa = RSA.load_key(key_path) pk = EVP.PKey() pk.assign_rsa(rsa) parsed = urlparse.urlparse(webid_uri) issuer = X509.X509_Name() issuer.CN = parsed[1] subject = X509.X509_Name() subject.CN = parsed[1] cert = X509.X509() cert.set_serial_number(long(time.time())) cert.set_version(2) cert.set_issuer(issuer) cert.set_subject(subject) cert.set_pubkey(pk) now = long(key['created']) time_start = ASN1.ASN1_UTCTIME() time_start.set_time(now) time_end = ASN1.ASN1_UTCTIME() time_end.set_time(now + time_len * 24 * 60 * 60) cert.set_not_before(time_start) cert.set_not_after(time_end) cert.add_ext(X509.new_extension('basicContraints', 'CA:FALSE')) cert.add_ext(X509.new_extension('subjectAltName', "URI:" + webid_uri)) cert.add_ext( X509.new_extension('subjectKeyIdentifier', cert.get_fingerprint())) cert.sign(pk, 'sha1') filename = '%s_%s_%s' % (key['filename'], parsed[1], long(time.time())) pathname = os.path.join(key_dir, filename) cert.save_pem(pathname) certificate = {} certificate['filename'] = filename certificate['keyname'] = key['filename'] certificate['created'] = key['created'] certificate['expiration'] = key['created'] + time_len * 24 * 60 * 60 return certificate
def create_request(self, **subject): request = X509.Request() subject_name = X509.X509_Name() for key, value in subject.iteritems(): setattr(subject_name, key, value) request.set_subject(subject_name) request.set_pubkey(pkey=self.pkey) request.sign(self.pkey, md="sha256") return request
def dict_to_x509_name(subject): """Our default CA issuer name.""" name = X509.X509_Name() name.C = subject['C'] name.ST = subject['ST'] name.L = subject['L'] name.O = subject['O'] # noqa name.OU = subject['OU'] name.CN = subject['CN'] return name