1 # This program is free software; you can redistribute it and/or modify
2 # it under the terms of the GNU General Public License as published by
3 # the Free Software Foundation; either version 2 of the License, or
4 # (at your option) any later version.
6 # This program is distributed in the hope that it will be useful,
7 # but WITHOUT ANY WARRANTY; without even the implied warranty of
8 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
9 # GNU Library General Public License for more details.
11 # You should have received a copy of the GNU General Public License
12 # along with this program; if not, write to the Free Software
13 # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
14 # Copyright (c) 2007 Red Hat, inc
15 #- Written by Seth Vidal skvidal @ fedoraproject.org
17 from OpenSSL
import crypto
24 def_local
= 'Certmaster-town'
25 def_org
= 'certmaster'
29 def make_keypair(dest
=None):
31 pkey
.generate_key(crypto
.TYPE_RSA
, 2048)
33 destfd
= os
.open(dest
, os
.O_RDWR|os
.O_CREAT
, 0600)
34 os
.write(destfd
, (crypto
.dump_privatekey(crypto
.FILETYPE_PEM
, pkey
)))
40 def make_csr(pkey
, dest
=None, cn
=None, hostname
=None):
41 req
= crypto
.X509Req()
43 subj
= req
.get_subject()
54 subj
.CN
= utils
.gethostname()
56 subj
.emailAddress
= 'root@%s' % subj
.CN
61 destfd
= os
.open(dest
, os
.O_RDWR|os
.O_CREAT
, 0644)
62 os
.write(destfd
, crypto
.dump_certificate_request(crypto
.FILETYPE_PEM
, req
))
68 def retrieve_key_from_file(keyfile
):
69 fo
= open(keyfile
, 'r')
71 keypair
= crypto
.load_privatekey(crypto
.FILETYPE_PEM
, buf
)
75 def retrieve_csr_from_file(csrfile
):
76 fo
= open(csrfile
, 'r')
78 csrreq
= crypto
.load_certificate_request(crypto
.FILETYPE_PEM
, buf
)
82 def retrieve_cert_from_file(certfile
):
83 fo
= open(certfile
, 'r')
85 cert
= crypto
.load_certificate(crypto
.FILETYPE_PEM
, buf
)
89 def create_ca(CN
="Certmaster Certificate Authority", ca_key_file
=None, ca_cert_file
=None):
90 cakey
= make_keypair(dest
=ca_key_file
)
91 careq
= make_csr(cakey
, cn
=CN
)
92 cacert
= crypto
.X509()
93 cacert
.set_serial_number(0)
94 cacert
.gmtime_adj_notBefore(0)
95 cacert
.gmtime_adj_notAfter(60*60*24*365*10) # 10 yrs - hard to beat this kind of cert!
96 cacert
.set_issuer(careq
.get_subject())
97 cacert
.set_subject(careq
.get_subject())
98 cacert
.set_pubkey(careq
.get_pubkey())
99 cacert
.sign(cakey
, 'md5')
101 destfo
= open(ca_cert_file
, 'w')
102 destfo
.write(crypto
.dump_certificate(crypto
.FILETYPE_PEM
, cacert
))
106 def _get_serial_number(cadir
):
107 serial
= '%s/serial.txt' % cadir
109 if os
.path
.exists(serial
):
110 f
= open(serial
, 'r').read()
111 f
= f
.replace('\n','')
115 except ValueError, e
:
118 _set_serial_number(cadir
, i
)
122 def _set_serial_number(cadir
, last
):
123 serial
= '%s/serial.txt' % cadir
124 f
= open(serial
, 'w')
125 f
.write(str(last
) + '\n')
129 def create_slave_certificate(csr
, cakey
, cacert
, cadir
, slave_cert_file
=None):
131 cert
.set_serial_number(_get_serial_number(cadir
))
132 cert
.gmtime_adj_notBefore(0)
133 cert
.gmtime_adj_notAfter(60*60*24*365*10) # 10 yrs - hard to beat this kind of cert!
134 cert
.set_issuer(cacert
.get_subject())
135 cert
.set_subject(csr
.get_subject())
136 cert
.set_pubkey(csr
.get_pubkey())
137 cert
.sign(cakey
, 'md5')
139 destfo
= open(slave_cert_file
, 'w')
140 destfo
.write(crypto
.dump_certificate(crypto
.FILETYPE_PEM
, cert
))
144 def check_cert_key_match(cert
, key
):
145 if not isinstance(cert
, crypto
.X509Type
):
146 cert
= crypto
.load_certificate(crypto
.FILETYPE_PEM
, cert
)
147 if not isinstance(key
, crypto
.PKeyType
):
148 key
= crypto
.load_privatekey(crypto
.FILETYPE_PEM
, key
)
150 from OpenSSL
import SSL
151 context
= SSL
.Context(SSL
.SSLv3_METHOD
)
153 context
.use_certificate(cert
)
154 context
.use_privatekey(key
)