X-Git-Url: https://pwan.org/git/?a=blobdiff_plain;f=certmaster%2Fcerts.py;h=b59a972c7de642519629a05352cfc7ee237a6f22;hb=42050df52ff80295e1cf64e6ba36b793b09412cf;hp=4d6bf1531b4c3ba17c8ccb1a630ad5cccc97231b;hpb=8f2ff4d7c902d534d68ff1a16418b7be492033bf;p=certmaster.git

diff --git a/certmaster/certs.py b/certmaster/certs.py
index 4d6bf15..b59a972 100644
--- a/certmaster/certs.py
+++ b/certmaster/certs.py
@@ -21,8 +21,8 @@ import utils
 
 def_country = 'UN'
 def_state = 'FC'
-def_local = 'Func-ytown'
-def_org = 'func'
+def_local = 'Certmaster-town'
+def_org = 'certmaster'
 def_ou = 'slave-key'
 
 
@@ -37,7 +37,7 @@ def make_keypair(dest=None):
     return pkey
 
 
-def make_csr(pkey, dest=None, cn=None):
+def make_csr(pkey, dest=None, cn=None, hostname=None, emailaddr=None):
     req = crypto.X509Req()
     req.get_subject()
     subj  = req.get_subject()
@@ -48,9 +48,15 @@ def make_csr(pkey, dest=None, cn=None):
     subj.OU = def_ou
     if cn:
         subj.CN = cn
+    elif hostname:
+        subj.CN = hostname
     else:
-        subj.CN = utils.get_hostname() 
-    subj.emailAddress = 'root@%s' % subj.CN       
+        subj.CN = utils.gethostname()
+
+    if emailaddr:
+        subj.emailAddress = emailaddr
+    else:
+        subj.emailAddress = 'root@%s' % subj.CN       
         
     req.set_pubkey(pkey)
     req.sign(pkey, 'md5')
@@ -83,7 +89,7 @@ def retrieve_cert_from_file(certfile):
     return cert
 
 
-def create_ca(CN="Func Certificate Authority", ca_key_file=None, ca_cert_file=None):
+def create_ca(CN="Certmaster Certificate Authority", ca_key_file=None, ca_cert_file=None):
     cakey = make_keypair(dest=ca_key_file)
     careq = make_csr(cakey, cn=CN)
     cacert = crypto.X509()
@@ -93,7 +99,11 @@ def create_ca(CN="Func Certificate Authority", ca_key_file=None, ca_cert_file=No
     cacert.set_issuer(careq.get_subject())
     cacert.set_subject(careq.get_subject())
     cacert.set_pubkey(careq.get_pubkey())
-    cacert.sign(cakey, 'md5')
+    cacert.set_version(2)
+    xt = crypto.X509Extension('basicConstraints',1,'CA:TRUE')
+    # FIXME - add subjectkeyidentifier and authoritykeyidentifier extensions, too)
+    cacert.add_extensions((xt,))
+    cacert.sign(cakey, 'sha1')
     if ca_cert_file:
         destfo = open(ca_cert_file, 'w')
         destfo.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cacert))
@@ -131,9 +141,28 @@ def create_slave_certificate(csr, cakey, cacert, cadir, slave_cert_file=None):
     cert.set_issuer(cacert.get_subject())
     cert.set_subject(csr.get_subject())
     cert.set_pubkey(csr.get_pubkey())
-    cert.sign(cakey, 'md5')
+    cert.set_version(2)
+    xt = crypto.X509Extension('basicConstraints', False ,'CA:FALSE')
+    # FIXME - add subjectkeyidentifier and authoritykeyidentifier extensions, too)    
+    cert.add_extensions((xt,))
+    cert.sign(cakey, 'sha1')
     if slave_cert_file:
         destfo = open(slave_cert_file, 'w')
         destfo.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
         destfo.close()
     return cert
+
+def check_cert_key_match(cert, key):
+    if not isinstance(cert, crypto.X509Type):
+        cert = crypto.load_certificate(crypto.FILETYPE_PEM, cert)
+    if not isinstance(key, crypto.PKeyType):
+        key = crypto.load_privatekey(crypto.FILETYPE_PEM, key)
+
+    from OpenSSL import SSL
+    context = SSL.Context(SSL.SSLv3_METHOD)
+    try:
+        context.use_certificate(cert)
+        context.use_privatekey(key)
+        return True
+    except:
+        return False