1 # This program is free software; you can redistribute it and/or modify
2 # it under the terms of the GNU General Public License as published by
3 # the Free Software Foundation; either version 2 of the License, or
4 # (at your option) any later version.
6 # This program is distributed in the hope that it will be useful,
7 # but WITHOUT ANY WARRANTY; without even the implied warranty of
8 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
9 # GNU Library General Public License for more details.
11 # You should have received a copy of the GNU General Public License
12 # along with this program; if not, write to the Free Software
13 # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
14 # Copyright (c) 2007 Red Hat, inc
15 #- Written by Seth Vidal skvidal @ fedoraproject.org
17 from OpenSSL
import crypto
24 def_local
= 'Certmaster-town'
25 def_org
= 'certmaster'
29 def make_keypair(dest
=None):
31 pkey
.generate_key(crypto
.TYPE_RSA
, 2048)
33 destfd
= os
.open(dest
, os
.O_RDWR|os
.O_CREAT
, 0600)
34 os
.write(destfd
, (crypto
.dump_privatekey(crypto
.FILETYPE_PEM
, pkey
)))
40 def make_csr(pkey
, dest
=None, cn
=None, hostname
=None):
41 req
= crypto
.X509Req()
43 subj
= req
.get_subject()
54 subj
.CN
= utils
.gethostname()
56 subj
.emailAddress
= 'root@%s' % subj
.CN
61 destfd
= os
.open(dest
, os
.O_RDWR|os
.O_CREAT
, 0644)
62 os
.write(destfd
, crypto
.dump_certificate_request(crypto
.FILETYPE_PEM
, req
))
68 def retrieve_key_from_file(keyfile
):
69 fo
= open(keyfile
, 'r')
71 keypair
= crypto
.load_privatekey(crypto
.FILETYPE_PEM
, buf
)
75 def retrieve_csr_from_file(csrfile
):
76 fo
= open(csrfile
, 'r')
78 csrreq
= crypto
.load_certificate_request(crypto
.FILETYPE_PEM
, buf
)
82 def retrieve_cert_from_file(certfile
):
83 fo
= open(certfile
, 'r')
85 cert
= crypto
.load_certificate(crypto
.FILETYPE_PEM
, buf
)
89 def create_ca(CN
="Certmaster Certificate Authority", ca_key_file
=None, ca_cert_file
=None):
90 cakey
= make_keypair(dest
=ca_key_file
)
91 careq
= make_csr(cakey
, cn
=CN
)
92 cacert
= crypto
.X509()
93 cacert
.set_serial_number(0)
94 cacert
.gmtime_adj_notBefore(0)
95 cacert
.gmtime_adj_notAfter(60*60*24*365*10) # 10 yrs - hard to beat this kind of cert!
96 cacert
.set_issuer(careq
.get_subject())
97 cacert
.set_subject(careq
.get_subject())
98 cacert
.set_pubkey(careq
.get_pubkey())
100 xt
= crypto
.X509Extension('basicConstraints',1,'CA:TRUE')
101 # FIXME - add subjectkeyidentifier and authoritykeyidentifier extensions, too)
102 cacert
.add_extensions((xt
,))
103 cacert
.sign(cakey
, 'sha1')
105 destfo
= open(ca_cert_file
, 'w')
106 destfo
.write(crypto
.dump_certificate(crypto
.FILETYPE_PEM
, cacert
))
110 def _get_serial_number(cadir
):
111 serial
= '%s/serial.txt' % cadir
113 if os
.path
.exists(serial
):
114 f
= open(serial
, 'r').read()
115 f
= f
.replace('\n','')
119 except ValueError, e
:
122 _set_serial_number(cadir
, i
)
126 def _set_serial_number(cadir
, last
):
127 serial
= '%s/serial.txt' % cadir
128 f
= open(serial
, 'w')
129 f
.write(str(last
) + '\n')
133 def create_slave_certificate(csr
, cakey
, cacert
, cadir
, slave_cert_file
=None):
135 cert
.set_serial_number(_get_serial_number(cadir
))
136 cert
.gmtime_adj_notBefore(0)
137 cert
.gmtime_adj_notAfter(60*60*24*365*10) # 10 yrs - hard to beat this kind of cert!
138 cert
.set_issuer(cacert
.get_subject())
139 cert
.set_subject(csr
.get_subject())
140 cert
.set_pubkey(csr
.get_pubkey())
142 xt
= crypto
.X509Extension('basicConstraints', False ,'CA:False')
143 # FIXME - add subjectkeyidentifier and authoritykeyidentifier extensions, too)
144 cacert
.add_extensions((xt
,))
145 cert
.sign(cakey
, 'sha1')
147 destfo
= open(slave_cert_file
, 'w')
148 destfo
.write(crypto
.dump_certificate(crypto
.FILETYPE_PEM
, cert
))
152 def check_cert_key_match(cert
, key
):
153 if not isinstance(cert
, crypto
.X509Type
):
154 cert
= crypto
.load_certificate(crypto
.FILETYPE_PEM
, cert
)
155 if not isinstance(key
, crypto
.PKeyType
):
156 key
= crypto
.load_privatekey(crypto
.FILETYPE_PEM
, key
)
158 from OpenSSL
import SSL
159 context
= SSL
.Context(SSL
.SSLv3_METHOD
)
161 context
.use_certificate(cert
)
162 context
.use_privatekey(key
)