X-Git-Url: https://pwan.org/git/?a=blobdiff_plain;f=certmaster%2Fcerts.py;h=d6f8b14a3b7ece6a1b4dbf6ea9380559c6f0de9b;hb=fbd4bc1fe300150b55255d5af80052601dfbcd77;hp=554822e702a2abde02b6c8383d55a18061657079;hpb=1e64c312e159e604eb45a06036b5e2c9a0a149df;p=certmaster.git diff --git a/certmaster/certs.py b/certmaster/certs.py index 554822e..d6f8b14 100644 --- a/certmaster/certs.py +++ b/certmaster/certs.py @@ -11,7 +11,7 @@ # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. -# Copyright (c) 2007 Red Hat, inc +# Copyright (c) 2007 Red Hat, inc #- Written by Seth Vidal skvidal @ fedoraproject.org from OpenSSL import crypto @@ -33,11 +33,11 @@ def make_keypair(dest=None): destfd = os.open(dest, os.O_RDWR|os.O_CREAT, 0600) os.write(destfd, (crypto.dump_privatekey(crypto.FILETYPE_PEM, pkey))) os.close(destfd) - + return pkey -def make_csr(pkey, dest=None, cn=None, hostname=None): +def make_csr(pkey, dest=None, cn=None, hostname=None, emailaddr=None): req = crypto.X509Req() req.get_subject() subj = req.get_subject() @@ -53,8 +53,11 @@ def make_csr(pkey, dest=None, cn=None, hostname=None): else: subj.CN = utils.gethostname() - subj.emailAddress = 'root@%s' % subj.CN - + if emailaddr: + subj.emailAddress = emailaddr + else: + subj.emailAddress = 'root@%s' % subj.CN + req.set_pubkey(pkey) req.sign(pkey, 'md5') if dest: @@ -71,7 +74,7 @@ def retrieve_key_from_file(keyfile): keypair = crypto.load_privatekey(crypto.FILETYPE_PEM, buf) return keypair - + def retrieve_csr_from_file(csrfile): fo = open(csrfile, 'r') buf = fo.read() @@ -96,13 +99,17 @@ def create_ca(CN="Certmaster Certificate Authority", ca_key_file=None, ca_cert_f cacert.set_issuer(careq.get_subject()) cacert.set_subject(careq.get_subject()) cacert.set_pubkey(careq.get_pubkey()) - cacert.sign(cakey, 'md5') + cacert.set_version(2) + xt = crypto.X509Extension('basicConstraints',1,'CA:TRUE') + # FIXME - add subjectkeyidentifier and authoritykeyidentifier extensions, too) + cacert.add_extensions((xt,)) + cacert.sign(cakey, 'sha1') if ca_cert_file: destfo = open(ca_cert_file, 'w') destfo.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cacert)) destfo.close() - - + + def _get_serial_number(cadir): serial = '%s/serial.txt' % cadir i = 1 @@ -111,11 +118,11 @@ def _get_serial_number(cadir): f = f.replace('\n','') try: i = int(f) - i+=1 + i+=1 except ValueError, e: i = 1 - - _set_serial_number(cadir, i) + + _set_serial_number(cadir, i) return i @@ -124,8 +131,8 @@ def _set_serial_number(cadir, last): f = open(serial, 'w') f.write(str(last) + '\n') f.close() - - + + def create_slave_certificate(csr, cakey, cacert, cadir, slave_cert_file=None): cert = crypto.X509() cert.set_serial_number(_get_serial_number(cadir)) @@ -134,7 +141,11 @@ def create_slave_certificate(csr, cakey, cacert, cadir, slave_cert_file=None): cert.set_issuer(cacert.get_subject()) cert.set_subject(csr.get_subject()) cert.set_pubkey(csr.get_pubkey()) - cert.sign(cakey, 'md5') + cert.set_version(2) + xt = crypto.X509Extension('basicConstraints', False ,'CA:FALSE') + # FIXME - add subjectkeyidentifier and authoritykeyidentifier extensions, too) + cert.add_extensions((xt,)) + cert.sign(cakey, 'sha1') if slave_cert_file: destfo = open(slave_cert_file, 'w') destfo.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))