1 # This program is free software; you can redistribute it and/or modify
2 # it under the terms of the GNU General Public License as published by
3 # the Free Software Foundation; either version 2 of the License, or
4 # (at your option) any later version.
6 # This program is distributed in the hope that it will be useful,
7 # but WITHOUT ANY WARRANTY; without even the implied warranty of
8 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
9 # GNU Library General Public License for more details.
11 # You should have received a copy of the GNU General Public License
12 # along with this program; if not, write to the Free Software
13 # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
14 # Copyright (c) 2007 Red Hat, inc
15 #- Written by Seth Vidal skvidal @ fedoraproject.org
17 from OpenSSL
import crypto
24 def_local
= 'Certmaster-town'
25 def_org
= 'certmaster'
29 def make_keypair(dest
=None):
31 pkey
.generate_key(crypto
.TYPE_RSA
, 2048)
33 destfd
= os
.open(dest
, os
.O_RDWR|os
.O_CREAT
, 0600)
34 os
.write(destfd
, (crypto
.dump_privatekey(crypto
.FILETYPE_PEM
, pkey
)))
40 def make_csr(pkey
, dest
=None, cn
=None):
41 req
= crypto
.X509Req()
43 subj
= req
.get_subject()
52 subj
.CN
= utils
.get_hostname()
53 subj
.emailAddress
= 'root@%s' % subj
.CN
58 destfd
= os
.open(dest
, os
.O_RDWR|os
.O_CREAT
, 0644)
59 os
.write(destfd
, crypto
.dump_certificate_request(crypto
.FILETYPE_PEM
, req
))
65 def retrieve_key_from_file(keyfile
):
66 fo
= open(keyfile
, 'r')
68 keypair
= crypto
.load_privatekey(crypto
.FILETYPE_PEM
, buf
)
72 def retrieve_csr_from_file(csrfile
):
73 fo
= open(csrfile
, 'r')
75 csrreq
= crypto
.load_certificate_request(crypto
.FILETYPE_PEM
, buf
)
79 def retrieve_cert_from_file(certfile
):
80 fo
= open(certfile
, 'r')
82 cert
= crypto
.load_certificate(crypto
.FILETYPE_PEM
, buf
)
86 def create_ca(CN
="Certmaster Certificate Authority", ca_key_file
=None, ca_cert_file
=None):
87 cakey
= make_keypair(dest
=ca_key_file
)
88 careq
= make_csr(cakey
, cn
=CN
)
89 cacert
= crypto
.X509()
90 cacert
.set_serial_number(0)
91 cacert
.gmtime_adj_notBefore(0)
92 cacert
.gmtime_adj_notAfter(60*60*24*365*10) # 10 yrs - hard to beat this kind of cert!
93 cacert
.set_issuer(careq
.get_subject())
94 cacert
.set_subject(careq
.get_subject())
95 cacert
.set_pubkey(careq
.get_pubkey())
96 cacert
.sign(cakey
, 'md5')
98 destfo
= open(ca_cert_file
, 'w')
99 destfo
.write(crypto
.dump_certificate(crypto
.FILETYPE_PEM
, cacert
))
103 def _get_serial_number(cadir
):
104 serial
= '%s/serial.txt' % cadir
106 if os
.path
.exists(serial
):
107 f
= open(serial
, 'r').read()
108 f
= f
.replace('\n','')
112 except ValueError, e
:
115 _set_serial_number(cadir
, i
)
119 def _set_serial_number(cadir
, last
):
120 serial
= '%s/serial.txt' % cadir
121 f
= open(serial
, 'w')
122 f
.write(str(last
) + '\n')
126 def create_slave_certificate(csr
, cakey
, cacert
, cadir
, slave_cert_file
=None):
128 cert
.set_serial_number(_get_serial_number(cadir
))
129 cert
.gmtime_adj_notBefore(0)
130 cert
.gmtime_adj_notAfter(60*60*24*365*10) # 10 yrs - hard to beat this kind of cert!
131 cert
.set_issuer(cacert
.get_subject())
132 cert
.set_subject(csr
.get_subject())
133 cert
.set_pubkey(csr
.get_pubkey())
134 cert
.sign(cakey
, 'md5')
136 destfo
= open(slave_cert_file
, 'w')
137 destfo
.write(crypto
.dump_certificate(crypto
.FILETYPE_PEM
, cert
))
projects / certmaster.git / blob